Loading ...

Play interactive tourEdit tour

Analysis Report racial.drc

Overview

General Information

Sample Name:racial.drc (renamed file extension from drc to dll)
Analysis ID:429223
MD5:d592f2973e1bbd967ce0cc25602ca096
SHA1:ae0073b6708ffbcb3bc0d0b250c67b43618d0102
SHA256:84c2f9ffa40a22ea7082cf9fa91c69f5d5428d616f30f7d4266cb9d74d106245
Tags:dllGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains an invalid checksum
Queries the installation date of Windows
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5896 cmdline: loaddll32.exe 'C:\Users\user\Desktop\racial.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 5384 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\racial.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 3612 cmdline: rundll32.exe 'C:\Users\user\Desktop\racial.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 5316 cmdline: regsvr32.exe /s C:\Users\user\Desktop\racial.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • iexplore.exe (PID: 1752 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 5872 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1752 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • rundll32.exe (PID: 4364 cmdline: rundll32.exe C:\Users\user\Desktop\racial.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "XcnD2ewKHEUCtK1f+aLgHrNg0ax+yJaEQWHiRnybZBp8+uodMhISWv4leSoo8qv94Yp7nN7eHJ+Fwyn8u61qqsKGP3Tc6znVTKRLbzT9WPZrMuSsdt/HztnVs/3QyB9AYrjoSg/9XVCi/ZMXWvk+/9j1f+VWv2RCJlTSph0Uzve7FtxnOT0xBl6o7ggjmqCVLob3OKmyZthO+zptVxFaL1Wnba2K0H5ySB9eH0SzymLsPN5KihXQerCvcZD5sVgXqV1Djx7J0lE1iMtQGxg1y8vjo/XtpKTIx/8piDl5mkVVyl+2UAXptU9jjxuCv3gZSzWsmQVsHERv19M1JbQKUMsIbdhZipSpKsasQY04yK4=", "c2_domain": ["authd.feronok.com", "raw.pablowilliano.at"], "botnet": "1500", "server": "580", "serpent_key": "N6Xp8oSBB81TOAN9", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.461266850.0000000002CF0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000000.00000003.464658480.0000000001300000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000003.00000003.460926541.00000000023C0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000005.00000003.462329890.0000000002FD0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.3.regsvr32.exe.2cf8d03.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            3.3.rundll32.exe.23c8d03.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.2.regsvr32.exe.6d6b0000.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                5.3.rundll32.exe.2fd8d03.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  0.3.loaddll32.exe.1308d03.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    Click to see the 3 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 00000002.00000003.461266850.0000000002CF0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "XcnD2ewKHEUCtK1f+aLgHrNg0ax+yJaEQWHiRnybZBp8+uodMhISWv4leSoo8qv94Yp7nN7eHJ+Fwyn8u61qqsKGP3Tc6znVTKRLbzT9WPZrMuSsdt/HztnVs/3QyB9AYrjoSg/9XVCi/ZMXWvk+/9j1f+VWv2RCJlTSph0Uzve7FtxnOT0xBl6o7ggjmqCVLob3OKmyZthO+zptVxFaL1Wnba2K0H5ySB9eH0SzymLsPN5KihXQerCvcZD5sVgXqV1Djx7J0lE1iMtQGxg1y8vjo/XtpKTIx/8piDl5mkVVyl+2UAXptU9jjxuCv3gZSzWsmQVsHERv19M1JbQKUMsIbdhZipSpKsasQY04yK4=", "c2_domain": ["authd.feronok.com", "raw.pablowilliano.at"], "botnet": "1500", "server": "580", "serpent_key": "N6Xp8oSBB81TOAN9", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
                    Multi AV Scanner detection for domain / URLShow sources
                    Source: authd.feronok.comVirustotal: Detection: 10%Perma Link
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: racial.dllVirustotal: Detection: 20%Perma Link
                    Source: racial.dllReversingLabs: Detection: 34%
                    Source: racial.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                    Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.7:49716 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.7:49717 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49729 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49730 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49728 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49731 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49732 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49733 version: TLS 1.2
                    Source: racial.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: c:\Steam\Egg\332\people\Spec\Road.pdb source: loaddll32.exe, 00000000.00000002.497211170.000000006D709000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.501318776.000000006D709000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.498246334.000000006D709000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.502241287.000000006D709000.00000002.00020000.sdmp, racial.dll
                    Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D700D7A FindFirstFileExW,0_2_6D700D7A
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D700D7A FindFirstFileExW,2_2_6D700D7A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D700D7A FindFirstFileExW,3_2_6D700D7A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D700D7A FindFirstFileExW,5_2_6D700D7A
                    Source: Joe Sandbox ViewIP Address: 104.20.184.68 104.20.184.68
                    Source: Joe Sandbox ViewIP Address: 151.101.1.44 151.101.1.44
                    Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
                    Source: de-ch[1].htm.6.drString found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
                    Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6e3390d9,0x01d758dd</date><accdate>0x6e3390d9,0x01d758dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                    Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6e3390d9,0x01d758dd</date><accdate>0x6e3390d9,0x01d758dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                    Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6e3390d9,0x01d758dd</date><accdate>0x6e3390d9,0x01d758dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                    Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6e3390d9,0x01d758dd</date><accdate>0x6e3390d9,0x01d758dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                    Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6e3ab7f0,0x01d758dd</date><accdate>0x6e3ab7f0,0x01d758dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                    Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6e3ab7f0,0x01d758dd</date><accdate>0x6e3ab7f0,0x01d758dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                    Source: de-ch[1].htm.6.drString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
                    Source: de-ch[1].htm.6.drString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
                    Source: unknownDNS traffic detected: queries for: www.msn.com
                    Source: de-ch[1].htm.6.drString found in binary or memory: http://ogp.me/ns#
                    Source: de-ch[1].htm.6.drString found in binary or memory: http://ogp.me/ns/fb#
                    Source: auction[1].htm.6.drString found in binary or memory: http://popup.taboola.com/german
                    Source: {945187ED-C4D0-11EB-90E6-ECF4BB82F7E0}.dat.4.drString found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
                    Source: msapplication.xml.4.drString found in binary or memory: http://www.amazon.com/
                    Source: msapplication.xml1.4.drString found in binary or memory: http://www.google.com/
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
                    Source: msapplication.xml2.4.drString found in binary or memory: http://www.live.com/
                    Source: msapplication.xml3.4.drString found in binary or memory: http://www.nytimes.com/
                    Source: msapplication.xml4.4.drString found in binary or memory: http://www.reddit.com/
                    Source: msapplication.xml5.4.drString found in binary or memory: http://www.twitter.com/
                    Source: msapplication.xml6.4.drString found in binary or memory: http://www.wikipedia.com/
                    Source: msapplication.xml7.4.drString found in binary or memory: http://www.youtube.com/
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://amzn.to/2TTxhNg
                    Source: auction[1].htm.6.drString found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&amp;ap
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
                    Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
                    Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
                    Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_promotionalstripe_na
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://client-s.gateway.messenger.live.com
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://clk.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=21863656
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24903118&amp;epi=ch-de
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&amp;a=3064090&amp;g=24886692
                    Source: {945187ED-C4D0-11EB-90E6-ECF4BB82F7E0}.dat.4.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
                    Source: {945187ED-C4D0-11EB-90E6-ECF4BB82F7E0}.dat.4.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                    Source: {945187ED-C4D0-11EB-90E6-ECF4BB82F7E0}.dat.4.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                    Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
                    Source: auction[1].htm.6.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
                    Source: auction[1].htm.6.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1622736176&amp;rver
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1622736176&amp;rver=7.0.6730.0&am
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/logout.srf?ct=1622736177&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1622736176&amp;rver=7.0.6730.0&amp;w
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/#qt=mru
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/about/en/download/
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com;Fotos
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com;OneDrive-App
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://outlook.com/
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://outlook.live.com/calendar
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
                    Source: {945187ED-C4D0-11EB-90E6-ECF4BB82F7E0}.dat.4.drString found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-shoppingstripe-nav
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch&quot;
                    Source: imagestore.dat.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFgOM.img?h=368&amp;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXITZ.img?h=27&amp;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://support.skype.com
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?&quot;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://twitter.com/
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://twitter.com/i/notifications;Ich
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&amp;awinaffid=696593&amp;clickref=dech-edge-dhp-infopa
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-edge-dhp-river
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-ss&amp;ued=htt
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://www.bidstack.com/privacy-policy/
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.ebay.ch/?mkcid=1&amp;mkrid=5222-53480-19255-0&amp;siteid=193&amp;campid=5338626668&amp;t
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/
                    Source: {945187ED-C4D0-11EB-90E6-ECF4BB82F7E0}.dat.4.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch&quot;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata&quot;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/26-j%c3%a4hriger-mann-stirbt-nach-sturz-auf-vorpla
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/eye-tracking-bei-online-pr%c3%bcfungen-keiner-%c3%
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/k%c3%b6nnen-seil-oder-hochbahnen-z%c3%bcrichs-verk
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/mehr-sicherheit-und-weniger-versp%c3%a4tungen-im-f
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/wer-bekommt-im-kanton-z%c3%bcrich-pr%c3%a4mienverb
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/berufung-zum-professor-ohne-doktortitel/ar-AAKEMiw?ocid=hplocal
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/der-singende-snowboader/ar-AAKFmIQ?ocid=hplocalnews
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/gr%c3%bcne-fordern-regierung-soll-zeitungen-f%c3%b6rdern/ar-AAK
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/junger-mann-stirbt-nach-sturz-von-einer-mauer-bei-der-eth/ar-AA
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/walt-disney-sprach-ihn-an-und-pl%c3%b6tzlich-stand-sein-leben-k
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/sport/nachrichten/schweiz-unterliegt-deutschland-im-penaltyschiessen/ar-AA
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.skype.com/
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.skype.com/de
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.skype.com/de/download-skype
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                    Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.7:49716 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.7:49717 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49729 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49730 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49728 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49731 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49732 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49733 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 00000002.00000003.461266850.0000000002CF0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.464658480.0000000001300000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000003.460926541.00000000023C0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.462329890.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 2.3.regsvr32.exe.2cf8d03.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.3.rundll32.exe.23c8d03.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.regsvr32.exe.6d6b0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.3.rundll32.exe.2fd8d03.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.loaddll32.exe.1308d03.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.rundll32.exe.6d6b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.rundll32.exe.6d6b0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.loaddll32.exe.6d6b0000.0.unpack, type: UNPACKEDPE
                    Source: loaddll32.exe, 00000000.00000002.496311115.000000000159B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    E-Banking Fraud:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 00000002.00000003.461266850.0000000002CF0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.464658480.0000000001300000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000003.460926541.00000000023C0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.462329890.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 2.3.regsvr32.exe.2cf8d03.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.3.rundll32.exe.23c8d03.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.regsvr32.exe.6d6b0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.3.rundll32.exe.2fd8d03.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.loaddll32.exe.1308d03.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.rundll32.exe.6d6b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.rundll32.exe.6d6b0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.loaddll32.exe.6d6b0000.0.unpack, type: UNPACKEDPE
                    Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D6B2485 NtQueryVirtualMemory,0_2_6D6B2485
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D6B2485 NtQueryVirtualMemory,3_2_6D6B2485
                    Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D6B22640_2_6D6B2264
                    Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D6F52500_2_6D6F5250
                    Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D705DE10_2_6D705DE1
                    Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D705CC10_2_6D705CC1
                    Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D7076750_2_6D707675
                    Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D6FD8400_2_6D6FD840
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D6F52502_2_6D6F5250
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D705DE12_2_6D705DE1
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D705CC12_2_6D705CC1
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D7076752_2_6D707675
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D6FD8402_2_6D6FD840
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D6B22643_2_6D6B2264
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D6F52503_2_6D6F5250
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D705DE13_2_6D705DE1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D705CC13_2_6D705CC1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D7076753_2_6D707675
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D6FD8403_2_6D6FD840
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D6F52505_2_6D6F5250
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D705DE15_2_6D705DE1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D705CC15_2_6D705CC1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D7076755_2_6D707675
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D6FD8405_2_6D6FD840
                    Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6D6F7990 appears 37 times
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 6D6F7990 appears 37 times
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D6F7990 appears 74 times
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D700930 appears 36 times
                    Source: racial.dllBinary or memory string: OriginalFilenameRoad.dll8 vs racial.dll
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
                    Source: racial.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                    Source: racial.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal72.troj.winDLL@13/124@10/3
                    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{945187EB-C4D0-11EB-90E6-ECF4BB82F7E0}.datJump to behavior
                    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DF7209158F6E36A060.TMPJump to behavior
                    Source: racial.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\racial.dll',#1
                    Source: racial.dllVirustotal: Detection: 20%
                    Source: racial.dllReversingLabs: Detection: 34%
                    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\racial.dll'
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\racial.dll',#1
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\racial.dll
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\racial.dll',#1
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\racial.dll,DllRegisterServer
                    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1752 CREDAT:17410 /prefetch:2
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\racial.dll',#1Jump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\racial.dllJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\racial.dll,DllRegisterServerJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\racial.dll',#1Jump to behavior
                    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1752 CREDAT:17410 /prefetch:2Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                    Source: racial.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: racial.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: racial.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: racial.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: racial.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: racial.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: racial.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                    Source: racial.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: c:\Steam\Egg\332\people\Spec\Road.pdb source: loaddll32.exe, 00000000.00000002.497211170.000000006D709000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.501318776.000000006D709000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.498246334.000000006D709000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.502241287.000000006D709000.00000002.00020000.sdmp, racial.dll
                    Source: racial.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: racial.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: racial.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: racial.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: racial.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata