Analysis Report 1.dll

Overview

General Information

Sample Name: 1.dll
Analysis ID: 429332
MD5: 27955775dfd73e08550fa42f20a8ef14
SHA1: 69e19132abbe882d20d5cde2927ce0ae1c928457
SHA256: 23e30ba8de300b7a8d53acdefa9bdee1e607a965f4dd3c42b9385f408d6e77a8
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Queries the installation date of Windows
Registers a DLL
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://raw.pablowilliano.at/5rrnAaWEJjP00b_2B56737/B1AfZAlhUgHoA/b2t_2BN4/l5OkLy1VlWuDrrdEILRWWeb/E6W61j9yq8/abuhFDsODTcGxVnWQ/E_2BE3e1OTvy/3WD7TSUbyOm/cpm4396P_2Fjd0/pOy7riIEzmJp_2FxZmWLM/gNpof3_2FnlsfWUd/1743QqIgg_2FQRu/ZKVtHnC8C1xvmv_2B8/vHh2F1obc/m3eV0F3yYMczZiknu1Ew/H6Bi_2BTSpyXLXazxZH/wg8NqLvm2lSF1HlaU3pANa/1U6Z_2BZLYJJ_/2BlaNQcq/ledo9CFvcm_2F6MjGWcFo9L/RAKX4mmp_2/F_2FxtA6ZOAujrSBZ/4yu9h7z Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/eRS3IPULaBVyyyM8SI7NTjn/bu9jriHj6t/_2BkcuH0S0KLaBS3B/vkCN9MDcpDQw/CXvn1Uc9Lk5/eTvtAYmWtMxfAC/IbcZg8p7Nqfw4xi6JFwgY/iX8lYPiI0RfUKruW/cRS7MvLhOTcIXvx/A_2F5SdmT8BNOtLhIu/P7uLQkYdw/iuMR5Z51enQS4ZwsoBTP/Dtp84_2B7PB4d6Ih_2F/AlW2oiOiFE_2FnyCSEdY9y/vWCqa6t9PLYnR/oBTHljmW/b1W1259HTZYZTaG9O2900Q0/yz_2FOFMzC/llouIHAJZHwF3f0aR/_2FSLB7YfaTL/BdH925d4dS3/7iDYe3o7fiS/Pl Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/sX4dtwL7bay/rzZGwpnfzczFz3/LsBuX9huxqt_2FdLEMzat/b0BQWHIzHX0afe_2/FzCUWE Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/tTVUy7Cis4PjZzw3zlK90/992fZ2V2UadpUOjx/ZlFfFNzzz_2BNMC/rw9ORkrACS_2FSnAjs/_2FkBi36_/2BcKHehCiVzJ0ZlxZwUe/L605o3IJbqARL43QjWI/5xKrHdjyff8x2rKCgmO7Mu/SD9GyKc_2FBsi/PnW3TDEt/vmXdCw3sFAveNrYKm6TcRex/ohSiZG5THC/3RxSnoz2RW1R2SJHo/_2BwMcdQnslY/eZbgGLoqDt1/hcHL1ijHz1HAC4/B1wguCo7y8KJKFrVLMood/ADnIvNjKfSqFXvOX/vfzJTRrlv1hKd_2/FiJ_2B9pSc20z1/m Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/V0Zdil_2B8IErAOIy/9Ot8_2B759bg/T54gq_2BJbB/fEKg5_2BdBbLTl/sPD_2B_2FnvdcE Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/favicon.ico Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/dgzEbQ4OdHi6vrZ8TXtj/42P6D_2FQzGJBqjHjxr/k7tYCNr_2BHR8cgUzK_2Bs/fZKbEnCTwoi Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/hmMzQKK9IpZemMI/AV6w9eELu1YSVPBd2B/U2fmYepaP/iI8O34L03l282SsJYJjt/THEo6G77t Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/fNUjDf7_2/FCXdH_2BoIzulRdpyRrN/VegwLwgBgX3FZ3e7Kml/JNpfVfiUw9hrvE_2BrMey8/9KmQXXHW4gs3a/9wgniy83/wKdGA8aJWZ5vZIo_2FiHAUb/zP0hJ_2BZH/ieJtaC2qsJk3_2Fow/0ttQYgmKdzve/ExwbYpZnP5c/82RPIPzJe1gOLF/_2BRc7ZeEUGg3SmE1TpuS/gPPWxB_2BjL0KDQa/cEkcJSpFensONz2/JuZCF1CCARKPWeUk_2/FvcrH8CIA/yx05ZSmlcDL9ZKkPz_2F/hnEgW0PJ8VaXmVS3OM5/DCOZcdQW8DmkgDTa3ilYTz/BNbEyiVfi1Qod/CczdZH_2BY/L Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/eRS3IPULaBVyyyM8SI7NTjn/bu9jriHj6t/_2BkcuH0S0KLaBS3B/vkCN9MDcpDQw/CXvn1U Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/fNUjDf7_2/FCXdH_2BoIzulRdpyRrN/VegwLwgBgX3FZ3e7Kml/JNpfVfiUw9hrvE_2BrMey Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/1rDskZrGyxwYpYn35/qL0_2BW8aSJn/Xmy8O6y_2F1/vAFFg5sXvrqV3E/5sQNlqY_2FlVqYGBdfPFn/U_2FpF45FRVvtng0/CHSrG3ox4kKO6nz/fa8Bk9I48YJ2mibVvx/L_2Bqol7c/tsQwCAooqkWn6gPAbSWl/QD3zhXOtMzYL6Ym04zh/5_2FgybkUk94HZTf6olCIq/9FN98evTn58b0/8CSSre_2/Bu6Ikb6rwvx1DWohv5RLt4o/e_2BWF_2Bc/d5_2Fp_2BgsUfGW3Y/Tgn5X_2Fo_2B/ZZIMFZgAKXa/ZNoVGytLkCHCdG/XBDYst2ree/Zgtmz5W2Tq8P/H Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/5Fz54n1eAYCx6AoO/trrrFlnJO43_2BT/_2B9XA2Pfv_2FjB9cX/4bvHDQr_2/Fcc1l6ZYgU Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/tTVUy7Cis4PjZzw3zlK90/992fZ2V2UadpUOjx/ZlFfFNzzz_2BNMC/rw9ORkrACS_2FSnAjs/_ Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_ Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/ATiL3P87_2FBLJR/BC5BJn8dyTtQ6ffd5W/0yM3sHqjA/PUUhyvXz10qPy3rbOoEV/mxXTz5GEf_2FJ1a_2BK/ZfrLOk2W31qhtbg9JWUwPE/hN5bUcB50eKT_/2BNd8E_2/FZi_2BFfGni4E2JjnbevSKB/8h9tWV54XR/zR1VMEFW8ZFskTIvF/Gph5WUak2QX5/sVOcmn1nNvc/RnK_2B00CLgf0I/K7lgIJJ7sya5Al4fACOfm/BvxQs3fAG6a0MebC/NKtDiZMQRT60IUJ/f0dP0RsUXiNDqIW54v/LL56Tq1vM/s_2FlHH5u86U7q76_2Ft/4GmpUkuUY0whYNq9pWf/DCuUzAdQ/8 Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/1rDskZrGyxwYpYn35/qL0_2BW8aSJn/Xmy8O6y_2F1/vAFFg5sXvrqV3E/5sQNlqY_2FlV Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/L_2BDt9ytUk/uJ29Pz3DiT6ki3/08jXqEr2Bw1VZtjZ7PHMr/mkp8mx2j_2Fh_2BM/48r5Iz6Z2 Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/ds3WDeXoOEmk7Y/QQuMPDNsrQWDpsNbTxUBm/9C_2Ffsfwo9FuQBR/xjorKLEJMlfL0A2/CNDB50xXgmy2p4EWxn/DaMjDghfb/cWK8m8ncHHGRZhGMepDc/nDGGUvCSKIWD73abwqz/PSlYxoNGoul9uvoUM2lkYp/iUEvsJec7I6HC/9f5WLr8u/422hTa5FmMbzsZrrYeL5ZCh/Hr1urRNWuy/StfzJRwO7PFWr_2Ft/9TWK1WqIM09Q/q8nrTS3QqnI/jfRzgUIatEJnmp/MqYnHLVMk2JoJoUVcpg0A/FnIEAZIY/9xBtC9wkdw5/g Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/ATiL3P87_2FBLJR/BC5BJn8dyTtQ6ffd5W/0yM3sHqjA/PUUhyvXz10qPy3rbOoEV/mxXTz5GEf Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/5Fz54n1eAYCx6AoO/trrrFlnJO43_2BT/_2B9XA2Pfv_2FjB9cX/4bvHDQr_2/Fcc1l6ZYgUI7p_2FiVc6/t_2Fl8EaBR1HS_2BNK5/X8y72xR2qjkHaZyrNERbO7/v2peyintdJ24L/Yw8tw7QT/dLXZu5OFhvWbL455USn4LnJ/HMP0smJj_2/FZwXFbprpV3aJCWuX/15bJnANkFNAX/hVoXLTlCLIU/tXHaEx0muHiXJx/btyId5nqGgZC05fEhjIaO/rm6z0UiaoPx_2FiX/TGKuABuP8srX2Ck/eUAi3TXKVNasxDo0P3/laW2oibPa/zBY4kInj1Zn68Xf49Wvw/7KJZdF0VpEe/P Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/OH175Zchtr5XCiZumX3nwAg/_2FAbOw7Yf/Z3HrOA2tCuHkK0wx_/2BSl8k36vM_2/BmUwT9vi5ds/IzgeuD6q87gFwZ/84qOsYKFhKxVr6L0Cag3l/PL1RiNFP_2BXA4Cd/ksDe_2BH0hSy4qr/ZjPn7VhnaRpwImnOZ4/d0Piqs_2F/AJoXR13SZzOA0tqrByvJ/vMFrOLoWX0owBj80j0g/nPQR2b2kCMyMldOZ2WWvYd/aoe4QO8ibbCp3/q_2Bre6L/dJzbiZ3n5z4pEwkiyFez6gn/uNwx7h8FiM/chP3D4vmodPyh8n0y/tjNup8GzZEvE/7l7rBmGdOaq/dgKOoGhW3lw/NG Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/V0Zdil_2B8IErAOIy/9Ot8_2B759bg/T54gq_2BJbB/fEKg5_2BdBbLTl/sPD_2B_2F Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_2Fb8S Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/favicon.ico Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/ Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/5rrnAaWEJjP00b_2B56737/B1AfZAlhUgHoA/b2t_2BN4/l5OkLy1VlWuDrrdEILRWWeb/E6 Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/ds3WDeXoOEmk7Y/QQuMPDNsrQWDpsNbTxUBm/9C_2Ffsfwo9FuQBR/xjorKLEJMlfL0 Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/OH175Zchtr5XCiZumX3nwAg/_2FAbOw7Yf/Z3HrOA2tCuHkK0wx_/2BSl8k36vM_2/BmUwT9 Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_2Fb8SL1e_2Bcy1brJLJ_/2BjovsduMdCqU0x4/GQVR4nMtPLQI34Q/jvoS0v2ZfIuYqB_2F9/H14dXc2_2/Bjq_2BEdNrJJI2sl8dBd/0EXv2jUPwYTVqmYCs_2/BvSZuMChVtYZMZS6DsVwap/yVgW08_2Ff8kL/trSm6I_2/FftLBTNnGuYda0Kts3xBoIq/hS7V_2FgQN/zYOOceAjlTgUyD0tU/GveuM_2F9QKt/Dw_2BirtM_2/B5GjUkddBSdTKK/gGHOev3Y5/fKlghW Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000002.00000003.784548777.0000000000AD0000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "oGIIttJEUG45fjge5YNkLrvYjNyFXbFRzSUVTLJ7ftnTBJeHa2ZI+8ADq/WBkIJIyCZesL4aCXkn94wRRQ+tyr9e0y5MNR+ULzq+nAiRWvNfXvT0196sjqB6oFsOPlfwaMOP2DaMNxkmh21TgkvcUJqABJ3I8EQwRxrH+GedjRzgdjdjn/y9cwZ+MJQXG/FtyJTTUBPyEwS1yqvDVH4ENtPcf7Smqshl2XQUQYeiwggvRSDgbKAnYWofz4wrekkGXVEh+BA8Mxud/zukujDjiLfV18ssQriJ1N4K2x41+2gCMUV+ZsGwVTthv8RdZbUH76oBxr/zfUiirDYNENpKEaOVbtYGJzUVmqZ2E7MzhEQ=", "c2_domain": ["authd.feronok.com", "raw.pablowilliano.at"], "botnet": "4500", "server": "580", "serpent_key": "58Pw0UfuGfpVnkTA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
Multi AV Scanner detection for domain / URL
Source: authd.feronok.com Virustotal: Detection: 10% Perma Link
Source: raw.pablowilliano.at Virustotal: Detection: 9% Perma Link
Machine Learning detection for sample
Source: 1.dll Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_007A35A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 2_2_007A35A1

Compliance:

barindex
Uses 32bit PE files
Source: 1.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: 1.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Whole\Stead\716\Enough\Pitch.pdb source: loaddll32.exe, 00000000.00000002.1096853134.000000006D4E8000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.1098259470.000000006D4E8000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1098045536.000000006D4E8000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.1097456266.000000006D4E8000.00000002.00020000.sdmp, 1.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4E0B15 FindFirstFileExW, 0_2_6D4E0B15
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_007A4E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 2_2_007A4E9C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4E0B15 FindFirstFileExW, 2_2_6D4E0B15
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4E0B15 FindFirstFileExW, 3_2_6D4E0B15
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D4E0B15 FindFirstFileExW, 5_2_6D4E0B15

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.20.185.68 104.20.185.68
Source: Joe Sandbox View IP Address: 87.248.118.22 87.248.118.22
Source: Joe Sandbox View IP Address: 87.248.118.22 87.248.118.22
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: global traffic HTTP traffic detected: GET /hmMzQKK9IpZemMI/AV6w9eELu1YSVPBd2B/U2fmYepaP/iI8O34L03l282SsJYJjt/THEo6G77tTZkWbFjswk/x5coSmyB_2F4jLyj_2BWzi/6brroK7xJ8XZw/qfOP9LCj/GvL6W_2BEyoAwzvHXO966ph/vsMK1fkmb9/Ds2jsNIzoVo0lOo11/93YGENzA_2FI/YQv31Ede4MT/_2F4pMgtrANakD/LvbGaJL2nZYMuK54K4Biv/2JptecryCAf4aMir/HTQaPZnOQ8GVTpZ/KhSSbNSk98bViqYzXp/G1toKGfzW/IDNKIf6dXCyDW/4KEp6m HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /OH175Zchtr5XCiZumX3nwAg/_2FAbOw7Yf/Z3HrOA2tCuHkK0wx_/2BSl8k36vM_2/BmUwT9vi5ds/IzgeuD6q87gFwZ/84qOsYKFhKxVr6L0Cag3l/PL1RiNFP_2BXA4Cd/ksDe_2BH0hSy4qr/ZjPn7VhnaRpwImnOZ4/d0Piqs_2F/AJoXR13SZzOA0tqrByvJ/vMFrOLoWX0owBj80j0g/nPQR2b2kCMyMldOZ2WWvYd/aoe4QO8ibbCp3/q_2Bre6L/dJzbiZ3n5z4pEwkiyFez6gn/uNwx7h8FiM/chP3D4vmodPyh8n0y/tjNup8GzZEvE/7l7rBmGdOaq/dgKOoGhW3lw/NG HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: raw.pablowilliano.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: raw.pablowilliano.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /VMv7LJ_2BvHL1lAyBiIjOC/_2B7R5c5uBmVX/X_2BYOAz/c0JLWfH49Nf9MAo_2BDl4xa/R1AF1HMSTQ/bLaP1J1juReG5ZJVb/QYSvbgDFP8oH/ojoQlsq2pc6/TweVpJheh34_2F/PmYm7ijZzpHxG_2Bxq1LR/SrkvKw6i_2BlV4wH/vfhdf5W6RyIgW5h/R0S83XZWkpNINEYVu_/2B9rBv2eE/EjqvPfSEYxpRm4fbT_2B/jA5sIiGntXF7YquHuq2/5rBOQjeRQGS3CD2NKKgqP5/E1Tupr3fdlgcT/n1xpAp_2/Bp4ISropkyZq5kW1zN7S5jV/Sqm_2BC HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L_2BDt9ytUk/uJ29Pz3DiT6ki3/08jXqEr2Bw1VZtjZ7PHMr/mkp8mx2j_2Fh_2BM/48r5Iz6Z2h_2Bg7/3c0JHMzi_2Bd8uVzJ5/uGDraFJKA/IFdt67IIK9VJ7zdnK4nw/jNbnNqei800ZG6T1Vpc/m9N_2BygQv60O0G4Ym7L1A/5RXKQGdksp5xa/gXKVe3Ly/cvcBIVxMqI3xDpqjvHjrI2T/TRX0RhYRP1/5D3VV1o_2BBhqpq4S/1RvoBIEOAT_2/BplWcAPb1TV/eEr_2FeuF0l_2F/UZ_2BWtCVxiKVpMWxO9UV/wrN6QXkuuYNbanbv/j5MKthTa8X0o6I4/qwxpZ0TO4/bmuUKh0n HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dgzEbQ4OdHi6vrZ8TXtj/42P6D_2FQzGJBqjHjxr/k7tYCNr_2BHR8cgUzK_2Bs/fZKbEnCTwoi6R/nQC9OZqH/TGhDZxT_2FcyK4SWqRZQa7w/41mbt7_2B_/2FtBemIRh9CRKakc_/2FaUTf7brC_2/BoPFXB3WUVS/t0M9Y7B5D9tXCb/3vVm2UdQ7QnBcJ_2B5FZY/HKCjwrAvNhkFAJ9S/42tcvlD5WAdpz7b/tfcmR4KwAA0AIq0GqV/1JYJnedpn/6P_2Bdhq8_2FOGrAw5S1/RksGCiQL0vInFpv93x6/GPB7vBf2Ua61U1JKwYMYBT/W_2BMupqR3OLU/3N2FUTT6/mBp5pryRUA_2Bff/j HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /5rrnAaWEJjP00b_2B56737/B1AfZAlhUgHoA/b2t_2BN4/l5OkLy1VlWuDrrdEILRWWeb/E6W61j9yq8/abuhFDsODTcGxVnWQ/E_2BE3e1OTvy/3WD7TSUbyOm/cpm4396P_2Fjd0/pOy7riIEzmJp_2FxZmWLM/gNpof3_2FnlsfWUd/1743QqIgg_2FQRu/ZKVtHnC8C1xvmv_2B8/vHh2F1obc/m3eV0F3yYMczZiknu1Ew/H6Bi_2BTSpyXLXazxZH/wg8NqLvm2lSF1HlaU3pANa/1U6Z_2BZLYJJ_/2BlaNQcq/ledo9CFvcm_2F6MjGWcFo9L/RAKX4mmp_2/F_2FxtA6ZOAujrSBZ/4yu9h7z HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: raw.pablowilliano.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: raw.pablowilliano.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /eRS3IPULaBVyyyM8SI7NTjn/bu9jriHj6t/_2BkcuH0S0KLaBS3B/vkCN9MDcpDQw/CXvn1Uc9Lk5/eTvtAYmWtMxfAC/IbcZg8p7Nqfw4xi6JFwgY/iX8lYPiI0RfUKruW/cRS7MvLhOTcIXvx/A_2F5SdmT8BNOtLhIu/P7uLQkYdw/iuMR5Z51enQS4ZwsoBTP/Dtp84_2B7PB4d6Ih_2F/AlW2oiOiFE_2FnyCSEdY9y/vWCqa6t9PLYnR/oBTHljmW/b1W1259HTZYZTaG9O2900Q0/yz_2FOFMzC/llouIHAJZHwF3f0aR/_2FSLB7YfaTL/BdH925d4dS3/7iDYe3o7fiS/Pl HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: raw.pablowilliano.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /5Fz54n1eAYCx6AoO/trrrFlnJO43_2BT/_2B9XA2Pfv_2FjB9cX/4bvHDQr_2/Fcc1l6ZYgUI7p_2FiVc6/t_2Fl8EaBR1HS_2BNK5/X8y72xR2qjkHaZyrNERbO7/v2peyintdJ24L/Yw8tw7QT/dLXZu5OFhvWbL455USn4LnJ/HMP0smJj_2/FZwXFbprpV3aJCWuX/15bJnANkFNAX/hVoXLTlCLIU/tXHaEx0muHiXJx/btyId5nqGgZC05fEhjIaO/rm6z0UiaoPx_2FiX/TGKuABuP8srX2Ck/eUAi3TXKVNasxDo0P3/laW2oibPa/zBY4kInj1Zn68Xf49Wvw/7KJZdF0VpEe/P HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: raw.pablowilliano.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_2Fb8SL1e_2Bcy1brJLJ_/2BjovsduMdCqU0x4/GQVR4nMtPLQI34Q/jvoS0v2ZfIuYqB_2F9/H14dXc2_2/Bjq_2BEdNrJJI2sl8dBd/0EXv2jUPwYTVqmYCs_2/BvSZuMChVtYZMZS6DsVwap/yVgW08_2Ff8kL/trSm6I_2/FftLBTNnGuYda0Kts3xBoIq/hS7V_2FgQN/zYOOceAjlTgUyD0tU/GveuM_2F9QKt/Dw_2BirtM_2/B5GjUkddBSdTKK/gGHOev3Y5/fKlghW HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1rDskZrGyxwYpYn35/qL0_2BW8aSJn/Xmy8O6y_2F1/vAFFg5sXvrqV3E/5sQNlqY_2FlVqYGBdfPFn/U_2FpF45FRVvtng0/CHSrG3ox4kKO6nz/fa8Bk9I48YJ2mibVvx/L_2Bqol7c/tsQwCAooqkWn6gPAbSWl/QD3zhXOtMzYL6Ym04zh/5_2FgybkUk94HZTf6olCIq/9FN98evTn58b0/8CSSre_2/Bu6Ikb6rwvx1DWohv5RLt4o/e_2BWF_2Bc/d5_2Fp_2BgsUfGW3Y/Tgn5X_2Fo_2B/ZZIMFZgAKXa/ZNoVGytLkCHCdG/XBDYst2ree/Zgtmz5W2Tq8P/H HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ATiL3P87_2FBLJR/BC5BJn8dyTtQ6ffd5W/0yM3sHqjA/PUUhyvXz10qPy3rbOoEV/mxXTz5GEf_2FJ1a_2BK/ZfrLOk2W31qhtbg9JWUwPE/hN5bUcB50eKT_/2BNd8E_2/FZi_2BFfGni4E2JjnbevSKB/8h9tWV54XR/zR1VMEFW8ZFskTIvF/Gph5WUak2QX5/sVOcmn1nNvc/RnK_2B00CLgf0I/K7lgIJJ7sya5Al4fACOfm/BvxQs3fAG6a0MebC/NKtDiZMQRT60IUJ/f0dP0RsUXiNDqIW54v/LL56Tq1vM/s_2FlHH5u86U7q76_2Ft/4GmpUkuUY0whYNq9pWf/DCuUzAdQ/8 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /tTVUy7Cis4PjZzw3zlK90/992fZ2V2UadpUOjx/ZlFfFNzzz_2BNMC/rw9ORkrACS_2FSnAjs/_2FkBi36_/2BcKHehCiVzJ0ZlxZwUe/L605o3IJbqARL43QjWI/5xKrHdjyff8x2rKCgmO7Mu/SD9GyKc_2FBsi/PnW3TDEt/vmXdCw3sFAveNrYKm6TcRex/ohSiZG5THC/3RxSnoz2RW1R2SJHo/_2BwMcdQnslY/eZbgGLoqDt1/hcHL1ijHz1HAC4/B1wguCo7y8KJKFrVLMood/ADnIvNjKfSqFXvOX/vfzJTRrlv1hKd_2/FiJ_2B9pSc20z1/m HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /V0Zdil_2B8IErAOIy/9Ot8_2B759bg/T54gq_2BJbB/fEKg5_2BdBbLTl/sPD_2B_2FnvdcEMKMRo_2/F5OjjPaAspe7o4IE/EqFxzHwYABNSlAE/lleSQROZ4w0qJdPqAF/2uvD9hc1W/12Vnc8IsQCLFh17B6tDt/cKmqUuBU2BwRALjP8bK/qTWq5ZVsfRFHRSRiWcw9bb/QVGOld7VBpWc2/BxulCusO/edEIsjDQMiIt9Z1TfDqldTW/y_2FZW0fap/KxSo1EYJZ0Ju_2Fb0/HNbtGKevtru9/sVQobl_2Fhi/LbDUGWF1rDaSkY/Bqnt50gbD/FtzmqLc_/2B HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: raw.pablowilliano.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ds3WDeXoOEmk7Y/QQuMPDNsrQWDpsNbTxUBm/9C_2Ffsfwo9FuQBR/xjorKLEJMlfL0A2/CNDB50xXgmy2p4EWxn/DaMjDghfb/cWK8m8ncHHGRZhGMepDc/nDGGUvCSKIWD73abwqz/PSlYxoNGoul9uvoUM2lkYp/iUEvsJec7I6HC/9f5WLr8u/422hTa5FmMbzsZrrYeL5ZCh/Hr1urRNWuy/StfzJRwO7PFWr_2Ft/9TWK1WqIM09Q/q8nrTS3QqnI/jfRzgUIatEJnmp/MqYnHLVMk2JoJoUVcpg0A/FnIEAZIY/9xBtC9wkdw5/g HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: raw.pablowilliano.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sX4dtwL7bay/rzZGwpnfzczFz3/LsBuX9huxqt_2FdLEMzat/b0BQWHIzHX0afe_2/FzCUWEL0PZc9lgZ/f8naaH0uh3Zi_2FkoD/wcVz9D_2B/K2spupldujIpl6_2F1IN/JJZEthD_2BqNHOG7vWe/xU83hDn75Y_2F7X6pQsqWS/nSOIIPGElOe7E/yCFiYhwx/d939bK9w5BMC_2FRQXloMhp/DAOEqmyIWw/Kzds0FoPo7LNhBc8B/xBOXP4CWJl3D/MzbHOxNvkUe/vW0lC6SpHq1YUw/_2FL2CiRudBOqo8KHNdva/PDtAk_2BKn3r_2Fw/8rN45Wd5_2BHZeB/mZ8NMbVb5wYhbTA5w/V_2B HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:86.0) Gecko/20100101 Firefox/86.0Host: raw.pablowilliano.at
Source: global traffic HTTP traffic detected: GET /fNUjDf7_2/FCXdH_2BoIzulRdpyRrN/VegwLwgBgX3FZ3e7Kml/JNpfVfiUw9hrvE_2BrMey8/9KmQXXHW4gs3a/9wgniy83/wKdGA8aJWZ5vZIo_2FiHAUb/zP0hJ_2BZH/ieJtaC2qsJk3_2Fow/0ttQYgmKdzve/ExwbYpZnP5c/82RPIPzJe1gOLF/_2BRc7ZeEUGg3SmE1TpuS/gPPWxB_2BjL0KDQa/cEkcJSpFensONz2/JuZCF1CCARKPWeUk_2/FvcrH8CIA/yx05ZSmlcDL9ZKkPz_2F/hnEgW0PJ8VaXmVS3OM5/DCOZcdQW8DmkgDTa3ilYTz/BNbEyiVfi1Qod/CczdZH_2BY/L HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: raw.pablowilliano.atConnection: Keep-Alive
Source: de-ch[1].htm.6.dr String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.6.dr String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.6.dr String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: www.msn.com
Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp String found in binary or memory: http://authd.feronok.com/1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_
Source: {17550680-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr String found in binary or memory: http://authd.feronok.com/1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_2Fb8S
Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp String found in binary or memory: http://authd.feronok.com/1rDskZrGyxwYpYn35/qL0_2BW8aSJn/Xmy8O6y_2F1/vAFFg5sXvrqV3E/5sQNlqY_2FlV
Source: {17550682-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr, ~DFCB466DF04067B9CF.TMP.4.dr String found in binary or memory: http://authd.feronok.com/1rDskZrGyxwYpYn35/qL0_2BW8aSJn/Xmy8O6y_2F1/vAFFg5sXvrqV3E/5sQNlqY_2FlVqYGBd
Source: {17550684-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr String found in binary or memory: http://authd.feronok.com/ATiL3P87_2FBLJR/BC5BJn8dyTtQ6ffd5W/0yM3sHqjA/PUUhyvXz10qPy3rbOoEV/mxXTz5GEf
Source: {FC3DF8C6-C49D-11EB-90EB-ECF4BBEA1588}.dat.4.dr String found in binary or memory: http://authd.feronok.com/L_2BDt9ytUk/uJ29Pz3DiT6ki3/08jXqEr2Bw1VZtjZ7PHMr/mkp8mx2j_2Fh_2BM/48r5Iz6Z2
Source: ~DF18426F049004E0E1.TMP.4.dr, {FC3DF8C4-C49D-11EB-90EB-ECF4BBEA1588}.dat.4.dr String found in binary or memory: http://authd.feronok.com/VMv7LJ_2BvHL1lAyBiIjOC/_2B7R5c5uBmVX/X_2BYOAz/c0JLWfH49Nf9MAo_2BDl4xa/R1AF1
Source: {02B5BFEA-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr String found in binary or memory: http://authd.feronok.com/dgzEbQ4OdHi6vrZ8TXtj/42P6D_2FQzGJBqjHjxr/k7tYCNr_2BHR8cgUzK_2Bs/fZKbEnCTwoi
Source: {E30F6C06-C49D-11EB-90EB-ECF4BBEA1588}.dat.4.dr String found in binary or memory: http://authd.feronok.com/hmMzQKK9IpZemMI/AV6w9eELu1YSVPBd2B/U2fmYepaP/iI8O34L03l282SsJYJjt/THEo6G77t
Source: {1E26C961-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr String found in binary or memory: http://authd.feronok.com/tTVUy7Cis4PjZzw3zlK90/992fZ2V2UadpUOjx/ZlFfFNzzz_2BNMC/rw9ORkrACS_2FSnAjs/_
Source: de-ch[1].htm.6.dr String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.6.dr String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[1].htm.6.dr String found in binary or memory: http://popup.taboola.com/german
Source: regsvr32.exe, 00000002.00000002.1094015467.0000000000BCA000.00000004.00000020.sdmp String found in binary or memory: http://raw.pablowilliano.at/
Source: {1081BFD7-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr String found in binary or memory: http://raw.pablowilliano.at/5Fz54n1eAYCx6AoO/trrrFlnJO43_2BT/_2B9XA2Pfv_2FjB9cX/4bvHDQr_2/Fcc1l6ZYgU
Source: {09BC39C1-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr String found in binary or memory: http://raw.pablowilliano.at/5rrnAaWEJjP00b_2B56737/B1AfZAlhUgHoA/b2t_2BN4/l5OkLy1VlWuDrrdEILRWWeb/E6
Source: {F0E7C154-C49D-11EB-90EB-ECF4BBEA1588}.dat.4.dr String found in binary or memory: http://raw.pablowilliano.at/OH175Zchtr5XCiZumX3nwAg/_2FAbOw7Yf/Z3HrOA2tCuHkK0wx_/2BSl8k36vM_2/BmUwT9
Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp String found in binary or memory: http://raw.pablowilliano.at/V0Zdil_2B8IErAOIy/9Ot8_2B759bg/T54gq_2BJbB/fEKg5_2BdBbLTl/sPD_2B_2F
Source: {24DDE3A9-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr, ~DF2574ADFCE17069FC.TMP.4.dr String found in binary or memory: http://raw.pablowilliano.at/V0Zdil_2B8IErAOIy/9Ot8_2B759bg/T54gq_2BJbB/fEKg5_2BdBbLTl/sPD_2B_2FnvdcE
Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp String found in binary or memory: http://raw.pablowilliano.at/ds3WDeXoOEmk7Y/QQuMPDNsrQWDpsNbTxUBm/9C_2Ffsfwo9FuQBR/xjorKLEJMlfL0
Source: ~DF502FB81A68309E09.TMP.4.dr, {24DDE3A7-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr String found in binary or memory: http://raw.pablowilliano.at/ds3WDeXoOEmk7Y/QQuMPDNsrQWDpsNbTxUBm/9C_2Ffsfwo9FuQBR/xjorKLEJMlfL0A2/CN
Source: {09BC39C3-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr, ~DFDAF305825D1F4F98.TMP.4.dr String found in binary or memory: http://raw.pablowilliano.at/eRS3IPULaBVyyyM8SI7NTjn/bu9jriHj6t/_2BkcuH0S0KLaBS3B/vkCN9MDcpDQw/CXvn1U
Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp String found in binary or memory: http://raw.pablowilliano.at/fNUjDf7_2/FCXdH_2BoIzulRdpyRrN/VegwLwgBgX3FZ3e7Kml/JNpfVfiUw9hrvE_2
Source: ~DF9E90F1D74363A308.TMP.4.dr, {2BB8F01A-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr String found in binary or memory: http://raw.pablowilliano.at/fNUjDf7_2/FCXdH_2BoIzulRdpyRrN/VegwLwgBgX3FZ3e7Kml/JNpfVfiUw9hrvE_2BrMey
Source: regsvr32.exe, 00000002.00000003.1070284695.0000000000C4F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.1094093257.0000000000C21000.00000004.00000020.sdmp String found in binary or memory: http://raw.pablowilliano.at/sX4dtwL7bay/rzZGwpnfzczFz3/LsBuX9huxqt_2FdLEMzat/b0BQWHIzHX0afe_2/FzCUWE
Source: ~DFF80766C3FDE4D880.TMP.4.dr String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.4.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.4.dr String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.4.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.4.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.4.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.4.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.4.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.4.dr String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.6.dr String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.6.dr String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&amp;ap
Source: de-ch[1].htm.6.dr String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
Source: auction[1].htm.6.dr String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=RCMAt1gGIS8WXc8APYp_ZOqKWxDwbRM5FCccwzTTz.S14TSo
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[1].htm.6.dr String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html&quot;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
Source: de-ch[1].htm.6.dr String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.6.dr String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=21863656
Source: de-ch[1].htm.6.dr String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24903118&amp;epi=ch-de
Source: de-ch[1].htm.6.dr String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&amp;a=3064090&amp;g=24886692
Source: ~DFF80766C3FDE4D880.TMP.4.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.6.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.6.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
Source: de-ch[1].htm.6.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
Source: ~DFF80766C3FDE4D880.TMP.4.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DFF80766C3FDE4D880.TMP.4.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[1].htm.6.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: auction[1].htm.6.dr String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&amp;es=5wPrxQkGIS9N4yUlZ7JcFIwprOH8Ei2wBvqqRYyFUYST
Source: regsvr32.exe, 00000002.00000003.1070284695.0000000000C4F000.00000004.00000001.sdmp String found in binary or memory: https://lo.pablowilliano.at/
Source: de-ch[1].htm.6.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1622746721&amp;rver
Source: de-ch[1].htm.6.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1622746721&amp;rver=7.0.6730.0&am
Source: de-ch[1].htm.6.dr String found in binary or memory: https://login.live.com/logout.srf?ct=1622746722&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
Source: de-ch[1].htm.6.dr String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1622746721&amp;rver=7.0.6730.0&amp;w
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.6.dr String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.6.dr String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.6.dr String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.6.dr String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
Source: auction[1].htm.6.dr String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: ~DFF80766C3FDE4D880.TMP.4.dr String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: auction[1].htm.6.dr String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/V2crpAJeakj_9YEn1xys_g--~A/Zmk9Zml0O3c9NjIyO2g9MzY4O2FwcGlkPWdlbWl
Source: de-ch[1].htm.6.dr String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
Source: de-ch[1].htm.6.dr String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.6.dr String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
Source: auction[1].htm.6.dr String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=9ecc1772ef804391b1937a727e8fcb51&amp;r=infopane&amp;i=1&
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch&quot;
Source: imagestore.dat.4.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFMgy.img?h=368&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXITZ.img?h=27&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.6.dr String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?&quot;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.6.dr String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&amp;awinaffid=696593&amp;clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-ss&amp;ued=htt
Source: iab2Data[1].json.6.dr String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.ebay.ch/?mkcid=1&amp;mkrid=5222-53480-19255-0&amp;siteid=193&amp;campid=5338626668&amp;t
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DFF80766C3FDE4D880.TMP.4.dr String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch&quot;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata&quot;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/26-j%c3%a4hriger-mann-stirbt-nach-sturz-auf-vorpla
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/eye-tracking-bei-online-pr%c3%bcfungen-keiner-%c3%
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/k%c3%b6nnen-seil-oder-hochbahnen-z%c3%bcrichs-verk
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/trotz-breiter-protestwelle-sollen-die-maag-hallen-
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/unfall-mit-f%c3%bcnf-autos-beim-brunaupark-26-j%c3
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/wer-bekommt-im-kanton-z%c3%bcrich-pr%c3%a4mienverb
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/berufung-zum-professor-ohne-doktortitel/ar-AAKEMiw?ocid=hplocal
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/der-singende-snowboader/ar-AAKFmIQ?ocid=hplocalnews
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/gr%c3%bcne-fordern-regierung-soll-zeitungen-f%c3%b6rdern/ar-AAK
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/junger-mann-stirbt-nach-sturz-von-einer-mauer-bei-der-eth/ar-AA
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.6.dr String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.6.dr String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49762 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000003.784548777.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.785832858.0000000000410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.789858287.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.784546208.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6d4a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.regsvr32.exe.ad8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.418cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.968cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.ab8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.6d4a0000.6.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000005.00000003.948292780.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948361474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924061110.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948383297.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924111198.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021984816.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948140417.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021661815.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948411963.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924023449.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834584319.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021969620.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948218371.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923759658.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1069724529.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834728970.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948264474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021951611.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021715602.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1097599278.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923586250.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923924528.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834525873.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021915260.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834645544.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834791862.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834491785.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923995924.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948327739.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834773952.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834682087.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924095906.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021871881.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021806353.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4240, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7160, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6044, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.1094063513.0000000000D1B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000003.784548777.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.785832858.0000000000410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.789858287.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.784546208.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6d4a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.regsvr32.exe.ad8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.418cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.968cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.ab8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.6d4a0000.6.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000005.00000003.948292780.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948361474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924061110.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948383297.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924111198.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021984816.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948140417.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021661815.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948411963.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924023449.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834584319.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021969620.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948218371.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923759658.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1069724529.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834728970.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948264474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021951611.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021715602.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1097599278.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923586250.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923924528.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834525873.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021915260.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834645544.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834791862.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834491785.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923995924.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948327739.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834773952.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834682087.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924095906.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021871881.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021806353.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4240, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7160, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6044, type: MEMORY
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_007A35A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 2_2_007A35A1

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A18D1 GetProcAddress,NtCreateSection,memset, 0_2_6D4A18D1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A1B89 NtMapViewOfSection, 0_2_6D4A1B89
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A2485 NtQueryVirtualMemory, 0_2_6D4A2485
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_007A3CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 2_2_007A3CA1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_007A81CD NtQueryVirtualMemory, 2_2_007A81CD
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A2264 0_2_6D4A2264
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4E69B1 0_2_6D4E69B1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_007A6609 2_2_007A6609
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_007A7FA8 2_2_007A7FA8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4E69B1 2_2_6D4E69B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4E69B1 3_2_6D4E69B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D4E69B1 5_2_6D4E69B1
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D4E05B7 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D4DBE70 appears 60 times
Sample file is different than original file name gathered from version info
Source: 1.dll Binary or memory string: OriginalFilenamePitch.dll8 vs 1.dll
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: 1.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: 1.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winDLL@43/153@26/5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_007A19E7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 2_2_007A19E7
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B10F1F20-C49D-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF0C5126AEADFE7CF3.TMP Jump to behavior
Source: 1.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1.dll',#1
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\1.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\1.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17428 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17436 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17444 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17452 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17460 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17464 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83012 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17482 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17490 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83032 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17512 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17520 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17528 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83064 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17542 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\1.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17428 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17436 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17444 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17452 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17460 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17464 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83012 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17482 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17490 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83032 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17512 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17520 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17528 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83064 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17542 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 1.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Whole\Stead\716\Enough\Pitch.pdb source: loaddll32.exe, 00000000.00000002.1096853134.000000006D4E8000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.1098259470.000000006D4E8000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1098045536.000000006D4E8000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.1097456266.000000006D4E8000.00000002.00020000.sdmp, 1.dll
Source: 1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A1F31 LoadLibraryA,GetProcAddress, 0_2_6D4A1F31
PE file contains an invalid checksum
Source: 1.dll Static PE information: real checksum: 0x72cef should be: 0x733e6
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\1.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A2253 push ecx; ret 0_2_6D4A2263
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A2200 push ecx; ret 0_2_6D4A2209
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4B2536 push ss; retf 0_2_6D4B25A6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4B44A0 push edx; iretd 0_2_6D4B44A1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4AF75E pushfd ; ret 0_2_6D4AF764
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4AEF96 push es; retf 0_2_6D4AEF97
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4B2E34 push ecx; retf 0_2_6D4B2E3A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4B1132 push ss; iretd 0_2_6D4B1133
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4B01D1 push ebp; ret 0_2_6D4B01D2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4B19E2 push edi; ret 0_2_6D4B19E3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4B1080 push ss; iretd 0_2_6D4B10B1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D50DE70 push esp; retf 0_2_6D50DE72
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_007AB67C push ss; retf 2_2_007AB690
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_007A7C20 push ecx; ret 2_2_007A7C29
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_007AB163 push edx; iretd 2_2_007AB164
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_007A7F97 push ecx; ret 2_2_007A7FA7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4B2536 push ss; retf 2_2_6D4B25A6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4B44A0 push edx; iretd 2_2_6D4B44A1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4AF75E pushfd ; ret 2_2_6D4AF764
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4AEF96 push es; retf 2_2_6D4AEF97
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4B2E34 push ecx; retf 2_2_6D4B2E3A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4B1132 push ss; iretd 2_2_6D4B1133
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4B01D1 push ebp; ret 2_2_6D4B01D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4B19E2 push edi; ret 2_2_6D4B19E3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4B1080 push ss; iretd 2_2_6D4B10B1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D50DE70 push esp; retf 2_2_6D50DE72
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4B2536 push ss; retf 3_2_6D4B25A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4B44A0 push edx; iretd 3_2_6D4B44A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4AF75E pushfd ; ret 3_2_6D4AF764
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4AEF96 push es; retf 3_2_6D4AEF97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4B2E34 push ecx; retf 3_2_6D4B2E3A

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000003.784548777.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.785832858.0000000000410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.789858287.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.784546208.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6d4a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.regsvr32.exe.ad8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.418cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.968cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.ab8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.6d4a0000.6.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000005.00000003.948292780.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948361474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924061110.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948383297.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924111198.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021984816.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948140417.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021661815.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948411963.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924023449.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834584319.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021969620.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948218371.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923759658.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1069724529.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834728970.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948264474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021951611.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021715602.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1097599278.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923586250.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923924528.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834525873.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021915260.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834645544.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834791862.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834491785.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923995924.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948327739.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834773952.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834682087.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924095906.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021871881.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021806353.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4240, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7160, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6044, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\regsvr32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 5.9 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 5.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6524 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4E0B15 FindFirstFileExW, 0_2_6D4E0B15
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_007A4E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 2_2_007A4E9C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4E0B15 FindFirstFileExW, 2_2_6D4E0B15
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4E0B15 FindFirstFileExW, 3_2_6D4E0B15
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D4E0B15 FindFirstFileExW, 5_2_6D4E0B15
Source: regsvr32.exe, 00000002.00000002.1094118595.0000000000C3F000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000002.00000002.1094015467.0000000000BCA000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW@m

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4DBD49 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D4DBD49
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A1F31 LoadLibraryA,GetProcAddress, 0_2_6D4A1F31
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4E061C mov eax, dword ptr fs:[00000030h] 0_2_6D4E061C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4DF1BF mov eax, dword ptr fs:[00000030h] 0_2_6D4DF1BF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D50B242 mov eax, dword ptr fs:[00000030h] 0_2_6D50B242
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D50B178 mov eax, dword ptr fs:[00000030h] 0_2_6D50B178
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D50AD7F push dword ptr fs:[00000030h] 0_2_6D50AD7F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4E061C mov eax, dword ptr fs:[00000030h] 2_2_6D4E061C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4DF1BF mov eax, dword ptr fs:[00000030h] 2_2_6D4DF1BF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D50B242 mov eax, dword ptr fs:[00000030h] 2_2_6D50B242
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D50B178 mov eax, dword ptr fs:[00000030h] 2_2_6D50B178
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D50AD7F push dword ptr fs:[00000030h] 2_2_6D50AD7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4E061C mov eax, dword ptr fs:[00000030h] 3_2_6D4E061C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4DF1BF mov eax, dword ptr fs:[00000030h] 3_2_6D4DF1BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D50B242 mov eax, dword ptr fs:[00000030h] 3_2_6D50B242
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D50B178 mov eax, dword ptr fs:[00000030h] 3_2_6D50B178
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D50AD7F push dword ptr fs:[00000030h] 3_2_6D50AD7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D4E061C mov eax, dword ptr fs:[00000030h] 5_2_6D4E061C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D4DF1BF mov eax, dword ptr fs:[00000030h] 5_2_6D4DF1BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D50B242 mov eax, dword ptr fs:[00000030h] 5_2_6D50B242
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D50B178 mov eax, dword ptr fs:[00000030h] 5_2_6D50B178
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D50AD7F push dword ptr fs:[00000030h] 5_2_6D50AD7F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4DBD49 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D4DBD49
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4DBECB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6D4DBECB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4DEACE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D4DEACE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4DBD49 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6D4DBD49
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4DBECB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6D4DBECB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6D4DEACE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6D4DEACE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4DBD49 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6D4DBD49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4DBECB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6D4DBECB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4DEACE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6D4DEACE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D4DBD49 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_6D4DBD49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D4DBECB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_6D4DBECB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D4DEACE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_6D4DEACE

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 34.95.62.189 80 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: raw.pablowilliano.at
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4DBB69 cpuid 0_2_6D4DBB69
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 0_2_6D4A1566
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A1979 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_6D4A1979
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_007A3946 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 2_2_007A3946
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6D4A146C
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000003.784548777.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.785832858.0000000000410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.789858287.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.784546208.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6d4a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.regsvr32.exe.ad8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.418cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.968cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.ab8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.6d4a0000.6.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000005.00000003.948292780.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948361474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924061110.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948383297.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924111198.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021984816.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948140417.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021661815.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948411963.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924023449.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834584319.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021969620.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948218371.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923759658.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1069724529.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834728970.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948264474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021951611.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021715602.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1097599278.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923586250.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923924528.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834525873.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021915260.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834645544.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834791862.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834491785.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923995924.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948327739.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834773952.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834682087.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924095906.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021871881.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021806353.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4240, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7160, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6044, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000003.784548777.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.785832858.0000000000410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.789858287.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.784546208.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6d4a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.regsvr32.exe.ad8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.418cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.968cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.ab8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.6d4a0000.6.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000005.00000003.948292780.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948361474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924061110.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948383297.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924111198.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021984816.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948140417.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021661815.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948411963.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924023449.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834584319.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021969620.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948218371.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923759658.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1069724529.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834728970.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948264474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021951611.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021715602.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1097599278.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923586250.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923924528.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834525873.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021915260.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834645544.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834791862.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834491785.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.923995924.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.948327739.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834773952.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.834682087.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.924095906.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021871881.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1021806353.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4240, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7160, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6044, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs