Play interactive tour

Edit tour

Analysis Report laka4.dll

Overview

General Information

Sample Name:	laka4.dll
Analysis ID:	399641
MD5:	4f2aee8563f78102b67ea3f6d9b9166b
SHA1:	518888baf0266a9638d20fd04cb5727f864d3b39
SHA256:	fd35940bf6701f7d98b39196b19273c86c74757ca2c226cff607fa23df183e03
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Ursnif

Hooks registry keys query functions (used to hide registry keys)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Performs DNS queries to domains with low reputation

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain checking for process token information

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Potential browser exploit detected (process start blacklist hit)

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6880 cmdline: loaddll32.exe 'C:\Users\user\Desktop\laka4.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6912 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6932 cmdline: rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 6992 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6112 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4684 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 6920 cmdline: regsvr32.exe /s C:\Users\user\Desktop\laka4.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

cmd.exe (PID: 6964 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7164 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 660 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

iexplore.exe (PID: 6952 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 7096 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6952 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

rundll32.exe (PID: 7036 cmdline: rundll32.exe C:\Users\user\Desktop\laka4.dll,Brightnight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 7128 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6568 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6412 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 6676 cmdline: rundll32.exe C:\Users\user\Desktop\laka4.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 6516 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4780 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5756 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1368 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6784 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6904 cmdline: C:\Windows\system32\cmd.exe /c echo 'Guess s' MD5: F3BDBE3BB6F734E357235F4D5898582D)

cleanup

Malware Configuration

Threatname: Ursnif

[[{"RSA Public Key": "L/wCy1GoxvEX4NLWc+yzxnqqtxjDB+8uPxRZvPrlDrMxQ2bbJq01o9WFOiHLCJrh+RKu9huQeKHCb5yXElgk2Nd3rgkxeee1N9o1azRKGb/pjfM9Tj2n60aZVNcvtvZDmiTCZ7Le99YkfP0IzOFfvN2B4OghgFjwQeKs81oBHGk2pngD1Zlrq72yIa/kUYrf"}, {"c2_domain": ["1.microsoft.com", "silugerude.xyz", "vilugerude.xyz"], "botnet": "4463", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}]]

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.1030930479.00000000010B1000.00000004.00000001.sdmp	SUSP_LNK_SuspiciousCommands	Detects LNK file with suspicious content	Florian Roth	0x16bee:$s12: WScript.Shell 0x17a8d:$s12: wscript.shell
00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.loaddll32.exe.bda481.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.3.rundll32.exe.2f4a481.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
24.3.rundll32.exe.311a481.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.3.regsvr32.exe.f4a481.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
8.3.rundll32.exe.2e1a481.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 24.3.rundll32.exe.311a481.0.raw.unpack

Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "L/wCy1GoxvEX4NLWc+yzxnqqtxjDB+8uPxRZvPrlDrMxQ2bbJq01o9WFOiHLCJrh+RKu9huQeKHCb5yXElgk2Nd3rgkxeee1N9o1azRKGb/pjfM9Tj2n60aZVNcvtvZDmiTCZ7Le99YkfP0IzOFfvN2B4OghgFjwQeKs81oBHGk2pngD1Zlrq72yIa/kUYrf"}, {"c2_domain": ["1.microsoft.com", "silugerude.xyz", "vilugerude.xyz"], "botnet": "4463", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}]]

Source: laka4.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49750 version: TLS 1.2

Source:

Binary string: c:\Floor help\sharp\Baby\Meas\smile.pdb source: laka4.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007D7DA3 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_007D7DA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F47DA3 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_00F47DA3

Source: C:\Program Files\internet explorer\iexplore.exe

Process created: C:\Windows\System32\conhost.exe

Jump to behavior

Networking:

Performs DNS queries to domains with low reputation

Show sources

Source:	DNS query: silugerude.xyz
Source:	DNS query: silugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: silugerude.xyz
Source:	DNS query: silugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz
Source:	DNS query: vilugerude.xyz

Source: Joe Sandbox View

IP Address: 104.20.185.68 104.20.185.68

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: de-ch[1].htm.10.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x156dd860,0x01d73c7e</date><accdate>0x156dd860,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x156dd860,0x01d73c7e</date><accdate>0x156dd860,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x15729d0d,0x01d73c7e</date><accdate>0x15729d0d,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x15729d0d,0x01d73c7e</date><accdate>0x15729d0d,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1574ff56,0x01d73c7e</date><accdate>0x1574ff56,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1574ff56,0x01d73c7e</date><accdate>0x1574ff56,0x01d73c7e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.10.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.10.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: de-ch[1].htm.10.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.10.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: ~DF350590C2B9D41CB2.TMP.5.dr, {8BC3AC88-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://silugerude.xyz/palok/BCk7mFxSRy/Qm0SzTs5dMXdNL8SU/P_2BkhEGcRW5/U9Vx3mh5hRK/dX0HNPUxJl8j6m/IQf
Source: {92BC32FA-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://silugerude.xyz/palok/JYNgnm_2BBHAequLwRjE0/wog2aPyjIrhfiChj/_2F7KNmTOp7gcHK/jNoiBVFK7FGrcvPg_
Source: ~DF29CFFC13F95711AB.TMP.5.dr, {7ECFB246-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://silugerude.xyz/palok/TFAutzbu/gCe3ncCBLMH7DreC61qLPHX/ngaLnwVCvh/xXteQjB63wWsF2t6A/Zz_2BRALS7
Source: ~DF6E75D50C571952C5.TMP.5.dr, {7ECFB244-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://silugerude.xyz/palok/Ypgl4JI_2FR/m0yEq7_2B7ljWe/BPm0RVhpDIfFWYr2d3BFy/aXhI5T_2B9mwNkry/hFC_2F
Source: imagestore.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/favicon.ico
Source: imagestore.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/favicon.ico~
Source: {9F800807-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/02XIlHxdbtKM8P3i3ca/47BqsC6_2FhAXQycTT8tDA/RUNfA0sZ_2BZr/1jh8HIyV/8yUbmY
Source: ~DFFCDBC08326237A5C.TMP.5.dr, {92BC32FC-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/ByknSZ2tON9683wB1nz_2/FXwcC_2Ftu5SOLf_/2B2lhXejD0yHkC3/naPotBkzM8oI0dYk3
Source: {9F80080F-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr, ~DFBDDF96D7C9F8EE76.TMP.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/CW13K5mE2c3xbRAfZePcI/XEak48G8SmMzV00N/TmMgf_2FUC_2FO8/q1mZ7RFRjJFdb0E2U
Source: ~DFF281750E0F709160.TMP.5.dr, {8BC3AC80-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/ISxtPb9NBDRdKdPIDnGulH/UHMvfd9n0X2gt/HgBUH102/d1m0OPwBZ0XynInWe6FU1aI/20
Source: ~DFC13F73B5108036FD.TMP.5.dr, {8BC3AC82-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/ZSXFTmnkcje5EOH/umoJg5Byr3I9szhZzJ/RAjbLNU7_/2BKMDUk3G_2Bo_2FwnsZ/OrQwr5
Source: ~DF5B84FB0897B0685F.TMP.5.dr, {8BC3AC86-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/aOnuW4Kc8kOdYhrgG/HHSmkSFK_2Fd/FqiAyDyS_2B/Bifl3Bed0SdPBr/pMym6LPCFFnLXB
Source: rundll32.exe, 00000003.00000003.1009779943.0000000003034000.00000004.00000001.sdmp, ~DFB72C5D5D1A9C9D82.TMP.5.dr, {9F80080B-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/dFnfMK1xAnp5I7t/YmapWF7tOTYN7Dd_2B/6kHZ1aN0G/zjxUimz2MEw0rWfqLZLJ/gCkKKi
Source: {9F80080D-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/neoLoiiKtwHl6QdM4A/f0O2DxWQo/5EJl2Tz8iA7cOU69VgBA/IeUG6sell9ZjI6yQKow/fY
Source: ~DFD692E6FF3D6732D0.TMP.5.dr, {9F800811-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/qo_2FTJl/jnoEfVMzZHt3_2BMW0xDKGO/M1Kxv2lNpc/7gbEDrc_2F2egCapG/TuTROOPwVO
Source: {92BC32FE-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/t9KapG5Lp7Zt_2Fa57QG/GX7NNpbipoY4mmC8m9o/47gVROA6RCGhiLCLu_2F0K/y86ol3pt
Source: ~DF1901F2BDB9BBEDC1.TMP.5.dr, {9F800809-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/taR_2BUDt4igM2RX/qZ890U_2FvXmpm7/kLlTmzjbCaxzLI30UD/sG2rHuNAE/XyrX_2Fzhy
Source: {8BC3AC84-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: http://vilugerude.xyz/palok/vUdO_2B4IZ3J_2Bd6F3sVbz/0bLr6U_2BT/ty33Mhp8Qlrf5CraM/knAI6s31dF0P/5ITH10
Source: msapplication.xml.5.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.5.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.5.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.5.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.5.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.5.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.5.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.5.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24952290&epi=dech
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.10.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1619648989&rver
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1619648989&rver=7.0.6730.0&am
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1619648990&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1619648989&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1g9leV.img?h=368&amp
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/en-us?"
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.10.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {3BB1EF45-A871-11EB-90EB-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/in-z%c3%bcrich-k%c3%b6nnen-sich-nun-auch-personen-
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/%c3%a4rger-%c3%bcber-auto-poser-klagen-%c3%bcber-f
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/alle-sagen-du-siehst-so-gut-aus-doch-der-long-covi
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/cyberkriminalit%c3%a4t-nimmt-zu-so-k%c3%b6nnen-sie
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/so-laut-wie-ein-presslufthammer-auto-poser-rauben-
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/st-galler-regierung-verteidigt-polizeieinsatz-in-r
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/urteil-mit-signalwirkung-unternehmer-erh%c3%a4lt-1
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/wie-sich-der-z%c3%bcrcher-kantonsrat-durch-seine-b
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/eine-autoposer-fahrt-war-so-laut-wie-ein-presslufthammer/ar-BB1
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/querulant-k%c3%a4mpft-erfolgreich-gegen-hausverbot/ar-BB1g5LzJ?
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.10.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.10.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.10.dr	String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.10.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49750 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, type: MEMORY

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.3.loaddll32.exe.bda481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.rundll32.exe.311a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.2e1a481.0.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, type: MEMORY

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.3.loaddll32.exe.bda481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.rundll32.exe.311a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.2e1a481.0.raw.unpack, type: UNPACKEDPE

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007D5408 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_007D5408
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DB2E1 NtQueryVirtualMemory,	0_2_007DB2E1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F45408 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_00F45408
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4B2E1 NtQueryVirtualMemory,	2_2_00F4B2E1

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DA032	0_2_007DA032
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DB0BC	0_2_007DB0BC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007D5B45	0_2_007D5B45
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007D73DB	0_2_007D73DB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4B0BC	2_2_00F4B0BC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4A032	2_2_00F4A032
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F473DB	2_2_00F473DB

Source: laka4.dll

Binary or memory string: OriginalFilenamesmile.dll@ vs laka4.dll

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: laka4.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 00000002.00000002.1030930479.00000000010B1000.00000004.00000001.sdmp, type: MEMORY

Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =

Source: classification engine

Classification label: mal100.troj.evad.winDLL@77/155@26/1

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_007D9E28 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

0_2_007D9E28

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3BB1EF43-A871-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5724:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6712:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6316:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3080:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFC198BA407A93F7AA.TMP

Jump to behavior

Source: laka4.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\laka4.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\laka4.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\laka4.dll,Brightnight
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6952 CREDAT:17410 /prefetch:2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\laka4.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\laka4.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\laka4.dll,Brightnight	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\laka4.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6952 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: laka4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: laka4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: laka4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: laka4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: laka4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: laka4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: laka4.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\Floor help\sharp\Baby\Meas\smile.pdb source: laka4.dll

Source: laka4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: laka4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: laka4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: laka4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: laka4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: laka4.dll

Static PE information: real checksum: 0x93768 should be: 0x9718f

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\laka4.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DE41E push esp; ret	0_2_007DE420
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DACF0 push ecx; ret	0_2_007DACF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DEAE5 push ds; retf	0_2_007DEAEB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DB0AB push ecx; ret	0_2_007DB0BB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DE163 push edx; iretd	0_2_007DE164
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DE919 pushfd ; ret	0_2_007DE91A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007DE5D9 push eax; iretd	0_2_007DE5DA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4ACF0 push ecx; ret	2_2_00F4ACF9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4EAE5 push ds; retf	2_2_00F4EAEB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4B0AB push ecx; ret	2_2_00F4B0BB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4E41E push esp; ret	2_2_00F4E420
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4E5D9 push eax; iretd	2_2_00F4E5DA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4E163 push edx; iretd	2_2_00F4E164
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F4E919 pushfd ; ret	2_2_00F4E91A

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, type: MEMORY

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.3.loaddll32.exe.bda481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.rundll32.exe.311a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.2e1a481.0.raw.unpack, type: UNPACKEDPE

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\regsvr32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6924	Thread sleep count: 75 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416	Thread sleep count: 51 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416	Thread sleep count: 66 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6416	Thread sleep count: 149 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007D7DA3 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_007D7DA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F47DA3 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_00F47DA3

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Program Files\internet explorer\iexplore.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Program Files\internet explorer\iexplore.exe	Thread register set: target process: 6528	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Thread register set: target process: 5064	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Thread register set: target process: 6708	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Thread register set: target process: 4172	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Thread register set: target process: 5584	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Thread register set: target process: 6972	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\laka4.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo 'Guess s'

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_007D3C3A cpuid

0_2_007D3C3A

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_007D947A HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,_aullrem,Sleep,

0_2_007D947A

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_007D3C3A RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_007D3C3A

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_007DA499 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_007DA499

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, type: MEMORY

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.3.loaddll32.exe.bda481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.rundll32.exe.311a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.2e1a481.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.838142140.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857625114.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909665638.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.959293774.00000000054AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905711954.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905674059.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857795473.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.938999366.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857776316.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905782753.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905833677.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909829429.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857683077.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909904535.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857820386.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857808720.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838200660.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909762591.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857714581.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1009913837.000000000541C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838181374.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909865416.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909891092.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909848147.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838052469.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838002362.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905819560.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.909807581.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1013072792.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838240951.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.857756795.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.838099477.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905803436.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905753199.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.837840447.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.905845684.0000000005618000.00000004.00000040.sdmp, type: MEMORY

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000018.00000003.775701050.0000000003110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.780693607.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.766624106.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.764888743.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.763148290.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.3.loaddll32.exe.bda481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.rundll32.exe.311a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.f4a481.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.2e1a481.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	DLL Side-Loading1	Process Injection211	Rootkit4	Credential API Hooking3	System Time Discovery1	Remote Services	Credential API Hooking3	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	DLL Side-Loading1	Masquerading1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution1	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion11	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection211	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Regsvr321	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	DLL Side-Loading1	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report laka4.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails