Loading ...

Play interactive tourEdit tour

Analysis Report racial.drc

Overview

General Information

Sample Name:racial.drc (renamed file extension from drc to dll)
Analysis ID:429224
MD5:7baac8ddbdcdf8e60b4a2d91fa6e1bef
SHA1:7ba908347f36deec45bff3c5d61de26333598636
SHA256:8b288921b1564824348d566efea90f5b3915a37d0e3b8a2a3e0a95299013890b
Tags:dllGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Yara detected Ursnif
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the installation date of Windows
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4720 cmdline: loaddll32.exe 'C:\Users\user\Desktop\racial.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 1932 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\racial.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 3864 cmdline: rundll32.exe 'C:\Users\user\Desktop\racial.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 2396 cmdline: regsvr32.exe /s C:\Users\user\Desktop\racial.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • iexplore.exe (PID: 2212 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 3728 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 5644 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17426 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • rundll32.exe (PID: 1848 cmdline: rundll32.exe C:\Users\user\Desktop\racial.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "XcnD2ewKHEUCtK1f+aLgHrNg0ax+yJaEQWHiRnybZBp8+uodMhISWv4leSoo8qv94Yp7nN7eHJ+Fwyn8u61qqsKGP3Tc6znVTKRLbzT9WPZrMuSsdt/HztnVs/3QyB9AYrjoSg/9XVCi/ZMXWvk+/9j1f+VWv2RCJlTSph0Uzve7FtxnOT0xBl6o7ggjmqCVLob3OKmyZthO+zptVxFaL1Wnba2K0H5ySB9eH0SzymLsPN5KihXQerCvcZD5sVgXqV1Djx7J0lE1iMtQGxg1y8vjo/XtpKTIx/8piDl5mkVVyl+2UAXptU9jjxuCv3gZSzWsmQVsHERv19M1JbQKUMsIbdhZipSpKsasQY04yK4=", "c2_domain": ["authd.feronok.com", "raw.pablowilliano.at"], "botnet": "1500", "server": "580", "serpent_key": "N6Xp8oSBB81TOAN9", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.409632514.00000000030B0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000003.00000003.414055560.0000000002D70000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000005.00000003.421428339.0000000003120000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000000.00000003.424668518.00000000005E0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000003.00000002.473399116.0000000005658000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.3.rundll32.exe.3128d03.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.3.regsvr32.exe.30b8d03.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.2.loaddll32.exe.6e200000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  5.2.rundll32.exe.6e200000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.2.regsvr32.exe.6e200000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000002.00000003.409632514.00000000030B0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "XcnD2ewKHEUCtK1f+aLgHrNg0ax+yJaEQWHiRnybZBp8+uodMhISWv4leSoo8qv94Yp7nN7eHJ+Fwyn8u61qqsKGP3Tc6znVTKRLbzT9WPZrMuSsdt/HztnVs/3QyB9AYrjoSg/9XVCi/ZMXWvk+/9j1f+VWv2RCJlTSph0Uzve7FtxnOT0xBl6o7ggjmqCVLob3OKmyZthO+zptVxFaL1Wnba2K0H5ySB9eH0SzymLsPN5KihXQerCvcZD5sVgXqV1Djx7J0lE1iMtQGxg1y8vjo/XtpKTIx/8piDl5mkVVyl+2UAXptU9jjxuCv3gZSzWsmQVsHERv19M1JbQKUMsIbdhZipSpKsasQY04yK4=", "c2_domain": ["authd.feronok.com", "raw.pablowilliano.at"], "botnet": "1500", "server": "580", "serpent_key": "N6Xp8oSBB81TOAN9", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: authd.feronok.comVirustotal: Detection: 10%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: racial.dllVirustotal: Detection: 23%Perma Link
                      Source: racial.dllReversingLabs: Detection: 31%
                      Source: racial.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49702 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49703 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49714 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49715 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49716 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49717 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49718 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49719 version: TLS 1.2
                      Source: racial.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: c:\Steam\Egg\332\people\Spec\Road.pdb source: loaddll32.exe, 00000000.00000002.473191457.000000006E259000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.471562632.000000006E259000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.473947664.000000006E259000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.475828227.000000006E259000.00000002.00020000.sdmp, racial.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E250D7A FindFirstFileExW,0_2_6E250D7A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6E250D7A FindFirstFileExW,2_2_6E250D7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E250D7A FindFirstFileExW,3_2_6E250D7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E250D7A FindFirstFileExW,5_2_6E250D7A
                      Source: Joe Sandbox ViewIP Address: 104.20.184.68 104.20.184.68
                      Source: Joe Sandbox ViewIP Address: 151.101.1.44 151.101.1.44
                      Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
                      Source: de-ch[1].htm.6.drString found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
                      Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8bc19ea3,0x01d758dd</date><accdate>0x8bc19ea3,0x01d758dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                      Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8bc19ea3,0x01d758dd</date><accdate>0x8bc19ea3,0x01d758dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                      Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8bc824a5,0x01d758dd</date><accdate>0x8bc824a5,0x01d758dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                      Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8bc824a5,0x01d758dd</date><accdate>0x8bc824a5,0x01d758dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                      Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8bc824a5,0x01d758dd</date><accdate>0x8bc824a5,0x01d758dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                      Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8bc824a5,0x01d758dd</date><accdate>0x8bc824a5,0x01d758dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                      Source: de-ch[1].htm.6.drString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
                      Source: de-ch[1].htm.6.drString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
                      Source: unknownDNS traffic detected: queries for: www.msn.com
                      Source: de-ch[1].htm.6.drString found in binary or memory: http://ogp.me/ns#
                      Source: de-ch[1].htm.6.drString found in binary or memory: http://ogp.me/ns/fb#
                      Source: auction[1].htm.6.drString found in binary or memory: http://popup.taboola.com/german
                      Source: ~DF1C59239F0C65121E.TMP.4.drString found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
                      Source: msapplication.xml.4.drString found in binary or memory: http://www.amazon.com/
                      Source: msapplication.xml1.4.drString found in binary or memory: http://www.google.com/
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
                      Source: msapplication.xml2.4.drString found in binary or memory: http://www.live.com/
                      Source: msapplication.xml3.4.drString found in binary or memory: http://www.nytimes.com/
                      Source: msapplication.xml4.4.drString found in binary or memory: http://www.reddit.com/
                      Source: msapplication.xml5.4.drString found in binary or memory: http://www.twitter.com/
                      Source: msapplication.xml6.4.drString found in binary or memory: http://www.wikipedia.com/
                      Source: msapplication.xml7.4.drString found in binary or memory: http://www.youtube.com/
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://amzn.to/2TTxhNg
                      Source: auction[1].htm.6.drString found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&amp;ap
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
                      Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
                      Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
                      Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_promotionalstripe_na
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://client-s.gateway.messenger.live.com
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://clk.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=21863656
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24903118&amp;epi=ch-de
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&amp;a=3064090&amp;g=24886692
                      Source: ~DF1C59239F0C65121E.TMP.4.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
                      Source: ~DF1C59239F0C65121E.TMP.4.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                      Source: ~DF1C59239F0C65121E.TMP.4.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                      Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
                      Source: auction[1].htm.6.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
                      Source: auction[1].htm.6.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1622736225&amp;rver
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1622736225&amp;rver=7.0.6730.0&am
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/logout.srf?ct=1622736226&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1622736225&amp;rver=7.0.6730.0&amp;w
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/#qt=mru
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/about/en/download/
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com;Fotos
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com;OneDrive-App
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://outlook.com/
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://outlook.live.com/calendar
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
                      Source: ~DF1C59239F0C65121E.TMP.4.drString found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-shoppingstripe-nav
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch&quot;
                      Source: imagestore.dat.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFgOM.img?h=368&amp;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXITZ.img?h=27&amp;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://support.skype.com
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?&quot;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://twitter.com/
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://twitter.com/i/notifications;Ich
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&amp;awinaffid=696593&amp;clickref=dech-edge-dhp-infopa
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-edge-dhp-river
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-ss&amp;ued=htt
                      Source: iab2Data[1].json.6.drString found in binary or memory: https://www.bidstack.com/privacy-policy/
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.ebay.ch/?mkcid=1&amp;mkrid=5222-53480-19255-0&amp;siteid=193&amp;campid=5338626668&amp;t
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/
                      Source: ~DF1C59239F0C65121E.TMP.4.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch&quot;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata&quot;
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/26-j%c3%a4hriger-mann-stirbt-nach-sturz-auf-vorpla
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/eye-tracking-bei-online-pr%c3%bcfungen-keiner-%c3%
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/k%c3%b6nnen-seil-oder-hochbahnen-z%c3%bcrichs-verk
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/mehr-sicherheit-und-weniger-versp%c3%a4tungen-im-f
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/wer-bekommt-im-kanton-z%c3%bcrich-pr%c3%a4mienverb
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/berufung-zum-professor-ohne-doktortitel/ar-AAKEMiw?ocid=hplocal
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/der-singende-snowboader/ar-AAKFmIQ?ocid=hplocalnews
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/gr%c3%bcne-fordern-regierung-soll-zeitungen-f%c3%b6rdern/ar-AAK
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/junger-mann-stirbt-nach-sturz-von-einer-mauer-bei-der-eth/ar-AA
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/walt-disney-sprach-ihn-an-und-pl%c3%b6tzlich-stand-sein-leben-k
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/sport/nachrichten/schweiz-unterliegt-deutschland-im-penaltyschiessen/ar-AA
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.skype.com/
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.skype.com/de
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.skype.com/de/download-skype
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
                      Source: de-ch[1].htm.6.drString found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
                      Source: iab2Data[1].json.6.drString found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
                      Source: iab2Data[1].json.6.drString found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
                      Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                      Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49702 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49703 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49714 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49715 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49716 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49717 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49718 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49719 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.473399116.0000000005658000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3864, type: MEMORY
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000002.00000003.409632514.00000000030B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.414055560.0000000002D70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.421428339.0000000003120000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.424668518.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5.3.rundll32.exe.3128d03.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.regsvr32.exe.30b8d03.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e200000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.6e200000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.6e200000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.5e8d03.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e200000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2d78d03.0.raw.unpack, type: UNPACKEDPE

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.473399116.0000000005658000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3864, type: MEMORY
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000002.00000003.409632514.00000000030B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.414055560.0000000002D70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.421428339.0000000003120000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.424668518.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5.3.rundll32.exe.3128d03.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.regsvr32.exe.30b8d03.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e200000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.6e200000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.6e200000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.5e8d03.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e200000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2d78d03.0.raw.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E201B89 NtMapViewOfSection,0_2_6E201B89
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2018D1 GetProcAddress,NtCreateSection,memset,0_2_6E2018D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E202485 NtQueryVirtualMemory,0_2_6E202485
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6E202485 NtQueryVirtualMemory,2_2_6E202485
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2022640_2_6E202264
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2452500_2_6E245250
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2576750_2_6E257675
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E255CC10_2_6E255CC1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E255DE10_2_6E255DE1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E24D8400_2_6E24D840
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6E2022642_2_6E202264
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6E2452502_2_6E245250
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6E2576752_2_6E257675
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6E255CC12_2_6E255CC1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6E255DE12_2_6E255DE1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6E24D8402_2_6E24D840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2452503_2_6E245250
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2576753_2_6E257675
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E255CC13_2_6E255CC1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E255DE13_2_6E255DE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E24D8403_2_6E24D840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E2452505_2_6E245250
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E2576755_2_6E257675
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E255CC15_2_6E255CC1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E255DE15_2_6E255DE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E24D8405_2_6E24D840
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E247990 appears 37 times
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 6E247990 appears 37 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E250930 appears 36 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E247990 appears 74 times
                      Source: racial.dllBinary or memory string: OriginalFilenameRoad.dll8 vs racial.dll
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: racial.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: racial.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal84.troj.winDLL@15/127@10/3
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF68CE0292F979F001.TMPJump to behavior
                      Source: racial.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\racial.dll',#1
                      Source: racial.dllVirustotal: Detection: 23%
                      Source: racial.dllReversingLabs: Detection: 31%
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\racial.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\racial.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\racial.dll
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\racial.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\racial.dll,DllRegisterServer
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17426 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\racial.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\racial.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\racial.dll,DllRegisterServerJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\racial.dll',#1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17426 /prefetch:2Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected