Analysis Report 2ff0174.dll

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: 2ff0174.dll

Avira: detected

Found malware configuration

Source: 2.2.regsvr32.exe.10000000.3.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "Hlj6FsCRmYLQM3DePAZKhqqkm2anmmatLYzzlHMToI9oQMsMAI9IbEz2bGdd+gr2u4VuQjeWYilfB/16/izG7wjz7L4W/Jko2VygJincvoQS9l5iG1bHubawsajm0EZr4kAGsqUOVptbNuiYmv9FF2NvtfBzvBKTABLE/vZO1hlYCpOb21WeAL0kkXf6wrbg", "c2_domain": ["mail.com", "vhfkffjddyjunekugjtr.xyz", "qtrweyuiopolkhgbjune.xyz"], "botnet": "5455", "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Machine Learning detection for sample

Source: 2ff0174.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.regsvr32.exe.10000000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.10000000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 6.2.rundll32.exe.10000000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 3.2.rundll32.exe.10000000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

Uses 32bit PE files

Source: 2ff0174.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49878 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49890 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49891 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49899 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49900 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49903 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49906 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49905 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49918 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49927 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49926 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49929 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49928 version: TLS 1.2

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01724C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_01724C3B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00AD4C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_00AD4C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04254C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		3_2_04254C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_029B4C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		6_2_029B4C3B

Networking:

Performs DNS queries to domains with low reputation

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: vhfkffjddyjunekugjtr.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: vhfkffjddyjunekugjtr.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: vhfkffjddyjunekugjtr.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: vhfkffjddyjunekugjtr.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: qtrweyuiopolkhgbjune.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: qtrweyuiopolkhgbjune.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: qtrweyuiopolkhgbjune.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: qtrweyuiopolkhgbjune.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: vhfkffjddyjunekugjtr.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: vhfkffjddyjunekugjtr.xyz
Source:	DNS query: vhfkffjddyjunekugjtr.xyz
Source:	DNS query: vhfkffjddyjunekugjtr.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 151.101.1.44 151.101.1.44
Source: Joe Sandbox View	IP Address: 104.20.185.68 104.20.185.68

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /uripath/fcbslbaQpLGER/anAUxx7k/P6qNRF5XQyAjAahpDrcIJV_/2BFr8ewDzH/kQKcuAEadNq8bnSP3/wERFtfm7vyGn/vtnJWrjvx8a/3Jsty6cDbS_2BT/gpxDtVgwpd6fGwdYn6qs2/kmBHoYzJ0NzlB9tA/okgty4mo62PuQhI/vZTwR4IKuGhmX2McfB/4w9w6_2Bd/_2B3x_2Bn_2B/YKaqn.ext HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: mail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uripath/WORqDY6_2BNfZ/KgWjiUUb/r87p6Orp_2Fmh0hHOaxhMMx/ttdOCXkBqo/vynRd5zf5hKBUtGNh/0ojVxeS0qGS0/kgLUoqcMUEo/HR5dFHbxXWkW5o/9wtG9IYf543FmlEl8G7Oe/tN_2FH_2FSXdL5Ee/kdKHsrNBEo9mT5n/OC3135hdYrpmFulc1o/ahW7bgseQVlR0vy/8zZARGC.ext HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: vhfkffjddyjunekugjtr.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vhfkffjddyjunekugjtr.xyzConnection: Keep-AliveCookie: PHPSESSID=f4ulcjh4ctpbrgokqf7lv9lpd4; lang=en
Source: global traffic	HTTP traffic detected: GET /uripath/Dpso2yRgb0Dyb/KAn6cCpr/gAmXw5kfG_2Bc9ne1cJuUpm/vIdHSfsVJ8/z1jcayamlCKKrI29R/G_2B_2FccqD2/qf4e_2Fz6RI/K0AsHCwnacJmTs/dz3R8eKROUC_2FWQj5PLa/EqJtAUgFuyqujecx/FxvhHy9NhkNYETE/8xNMShuXbdh_2BRm2_/2BKALThQM/WfIVp4VFD/2fstwBtrQ/e.ext HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: vhfkffjddyjunekugjtr.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=f4ulcjh4ctpbrgokqf7lv9lpd4
Source: global traffic	HTTP traffic detected: GET /uripath/PbAYRrZYAKQJ_2FiZxLfQe/0W3TmhG_2FKNb/HT1zWvSh/WsU1_2F6i0huFYRA429S2ek/rkBd8Gm1wt/jPrgo3Qm1r_2FcnOo/wfKJYrVFbHaY/uPAV9mHMrKZ/jAk7myMZiDAmSQ/yOGTwTyxfld98bsDv53U4/FqusXxECzNJh4e3H/b3Q8IDIjGjZYWaI/QVKc4rs5AqW2/jMtBGa.ext HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: vhfkffjddyjunekugjtr.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=f4ulcjh4ctpbrgokqf7lv9lpd4
Source: global traffic	HTTP traffic detected: GET /uripath/E2bq2WZHjxXirUql/0j3wLqnWLhS_2FZ/sba7m_2B0uIP2xWYHL/1K7Ue7b7G/RDSt44BzYu1fE3VAPCUJ/9QPLsVrWwp160niu2b2/eq5dmXJov5C7F4b262v9FO/_2BKRjfeC1BxT/FFLUNvQ4/Tdu5jzZWgzD6sQniFWjnG4k/aiTESeJUr_/2BQ8CAw1bz7En6onW/NIK7zZLA/ci.ext HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: vhfkffjddyjunekugjtr.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=f4ulcjh4ctpbrgokqf7lv9lpd4
Source: global traffic	HTTP traffic detected: GET /uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.ext HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /public/css/normalize.css?1234 HTTP/1.1Accept: text/css, */*Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/css/bootstrap.min.css?1234 HTTP/1.1Accept: text/css, */*Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/css/themify-icons.css?1234 HTTP/1.1Accept: text/css, */*Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/css/lib/vector-map/jqvmap.min.css?1234 HTTP/1.1Accept: text/css, */*Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/css/cs-skin-elastic.css?1234 HTTP/1.1Accept: text/css, */*Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/css/scss/style.css?1234 HTTP/1.1Accept: text/css, */*Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/css/font-awesome.min.css?1234 HTTP/1.1Accept: text/css, */*Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/css/flag-icon.min.css?1234 HTTP/1.1Accept: text/css, */*Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/scripts/vendor/jquery-2.1.4.min.js?1234 HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/scripts/plugins.js?1234 HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/scripts/main.js?1234 HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/scripts/lib/chart-js/Chart.bundle.js?1234 HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/scripts/dashboard.js?1234 HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/scripts/lib/vector-map/jquery.vmap.js?1234 HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/scripts/widgets.js?1234 HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/css/animate.css HTTP/1.1Accept: text/css, */*Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/scripts/lib/vector-map/jquery.vmap.min.js?1234 HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/scripts/lib/vector-map/jquery.vmap.sampledata.js?1234 HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/scripts/lib/vector-map/country/jquery.vmap.world.js?1234 HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /public/fonts/fontawesome-webfont.eot? HTTP/1.1Accept: */*Referer: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzpohc/MPdtsYKQkNO4c/wkH4vJBP/Kc9NP9666_2Bsm2t4fFrVeM/Cje7KYUUkw/NwW99YvrzitdFW1CD/j_2F_2FvODtq/RqYshwP1aCJ/ht7YVvE6QxeJ_2/BXjQMi_2FBpQDANLtyu38/CN5k2RVP/U7O0rH.extAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoOrigin: http://qtrweyuiopolkhgbjune.xyzAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5; lang=en
Source: global traffic	HTTP traffic detected: GET /uripath/rfHWC41tNETdeQWjswyCogx/2GerTeq_2F/pTrbfZqC3HbPx0AC8/8PvaEEyqSBMQ/OI0eVJ5ixCL/pKmLDsx5jBT2dg/mYyZQFsej_2FmIk9ENFo_/2FKyKN8X1y1Qj4qv/wg_2F6DT_2F1UtB/x8hTbCqg1pGLyNEs7B/hxe_2BGbh/vaZctqoLB_2FhX3rnLtN/P_2BNdyaBZpb9Iw/e46aWlZ.ext HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5
Source: global traffic	HTTP traffic detected: GET /uripath/HqAo_2FUT4Xi/etL7dOp10vF/1GZyviLFWjPlf_/2BpAjw1ynkMPMDMMcYEtk/PA3gWZ6idqjWSLO2/tLBqz9Srim1lIVY/5tdrShzt_2BFOk6kl4/GBF65Elv2/jlbxEfm8sICAzKhFfPjq/z6q_2BXgoZz8JSHl_2B/tocJ3oanhySIXVOUDqLTzc/gtzDn0U7CVT5W/Ac4C1A3B/UCHp.ext HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5
Source: global traffic	HTTP traffic detected: GET /uripath/r_2F625JF8nc/Zl6uqWI71P7/1DbizOipbgp9jM/hoB3nCCm3H0vpt3zAF7ZH/8VqEosOuwdbePRdf/StMEJ1jUOGHfHEi/pbLUMmGyYI_2Be3yat/brD7T_2FB/930tZX_2FxZVxCKfUYGT/aDp_2BT47EhB9UDw1DB/hN77lZDfez35Qm0pV5OWyA/VPR3gJDQb_2Bv/hnrYY6jX/Ezib7z.ext HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: qtrweyuiopolkhgbjune.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=dmi68ara3doq4fg6ve69gv8ck5
Source: global traffic	HTTP traffic detected: GET /uripath/m5zigbEwtRm5tbWTabSv7yN/5eir_2B9Vh/aKk3WnUnFcJEuyyua/ARiRkfJ3iFIQ/qDBnAv2igfa/mrhLian2LW_2B2/9OpQEW7r1oH5EbxzNz_2F/uyLCbd56_2B8viYh/NcE_2BN0hWhdn2k/S_2Fl0s3iSHGBIpV8q/3IvuuTvjE/P_2F5A01dnuye77sW1fw/lxHUAcZiiGEaGlB/coOMe.ext HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: vhfkffjddyjunekugjtr.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=f4ulcjh4ctpbrgokqf7lv9lpd4
Source: global traffic	HTTP traffic detected: GET /uripath/6vBwf5Sg/63VGZHA406Wp7f7jlCy24r7/UcVh3uhwQE/xWtNLCfmK_2BTsac6/ArGABH2W0G6j/WfqTbsJQTba/CiBiWBgWSqTJgQ/xptP7CraLrAbQV2a328U6/OIbDC5s3reaQL_2B/Y7eCj60Y1Ow88q_/2BBTjMmJFlG6kKHmUH/yY9UzhV3h/GbsY7tbpKX36R072CGX4/j_2BaX.ext HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: vhfkffjddyjunekugjtr.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=f4ulcjh4ctpbrgokqf7lv9lpd4
Source: global traffic	HTTP traffic detected: GET /uripath/sB8E3aa3L/XDVMq5XKI78tf7sk_2Ff/1uvfkmsySV_2FdyZgAj/rQ7fjQTkCIckO00r17I0Lb/mtwt35TqG8tZy/mDnNoNxk/Tgh2dt2Vdy7GhBOSvB_2FwH/whrBYKDwkz/dpBP4WwDQ4nBFUaXC/fkbG1qJ1BjcB/GFGY_2BTrZf/_2FHH5bo5ZfTaU/YDRNOIWU58cOT9TUrLoQ2/O_2FM.ext HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: vhfkffjddyjunekugjtr.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=f4ulcjh4ctpbrgokqf7lv9lpd4
Source: global traffic	HTTP traffic detected: GET /uripath/KJMFCR14UUr6TEcubLP/YbwPQTJxsUT84fW9igai2d/bBa3TsKL_2Fa7/jinWy1FQ/8hLJpFNPh1lTrschK6tvg49/PN4MiR4BEw/zPC9ul5MXldDAsMjb/tYN0UMhBuQCG/Dn0m_2F5tMD/2m07HiCuV5qocF/xpBR5CxDFeZdx3DU3M_2F/v6GRyvheQQ6w1NGD/Y_2BGn0XLTzC5lH/1f16WdgZV/Ygn1e5PVT/WIV.ext HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: vhfkffjddyjunekugjtr.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=f4ulcjh4ctpbrgokqf7lv9lpd4

Found strings which match to known social media urls

Source: de-ch[1].htm.7.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: gtm[1].js.12.dr	String found in binary or memory: "arg1":"https:\/\/www.facebook.com\/mail.com" equals www.facebook.com (Facebook)
Source: de-ch[1].htm.7.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: potec.core.min[1].js.12.dr	String found in binary or memory: eh=function(){var a=z.O(U('\x3cdiv class\x3d"mod-konami"\x3e\x3cdiv class\x3d"vd"\x3e\x3ciframe width\x3d"640" height\x3d"360" src\x3d"https://www.youtube.com/embed/SrLZgP-OR6s" frameborder\x3d"0" allowfullscreen\x3e\x3c/iframe\x3e\x3cdiv class\x3d"close"\x3e\x3c/div\x3e\x3c/div\x3e\x3c/div\x3e').toString());z.O("body").append(a);var b=z.O(".mod-konami");b.width();b.find(".close").b("click",function(){function a(){b.removeNode()}z.T(b,"show");window.Modernizr.csstransitions||a();b.b("transitionend", equals www.youtube.com (Youtube)
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.7.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
Source: potec.core.min[1].js.12.dr	String found in binary or memory: zh.prototype.f=function(){var a=this;this.url=z.R(this.a,"data-url")||window.location.href;this.Md="menubar\x3dno,toolbar\x3dno,resizable\x3dyes,scrollbars\x3dyes,height\x3d500,width\x3d500";this.a.find("[data-social]").b("click",function(b){b.preventDefault();switch(this.getAttribute("data-social")){case "facebook":window.open("https://www.facebook.com/sharer/sharer.php?u\x3d"+(0,window.encodeURIComponent)(a.url),"",a.Md);break;case "twitter":window.open("https://twitter.com/intent/tweet?text\x3d"+(0,window.encodeURIComponent)(window.document.title)+ equals www.facebook.com (Facebook)
Source: potec.core.min[1].js.12.dr	String found in binary or memory: zh.prototype.f=function(){var a=this;this.url=z.R(this.a,"data-url")||window.location.href;this.Md="menubar\x3dno,toolbar\x3dno,resizable\x3dyes,scrollbars\x3dyes,height\x3d500,width\x3d500";this.a.find("[data-social]").b("click",function(b){b.preventDefault();switch(this.getAttribute("data-social")){case "facebook":window.open("https://www.facebook.com/sharer/sharer.php?u\x3d"+(0,window.encodeURIComponent)(a.url),"",a.Md);break;case "twitter":window.open("https://twitter.com/intent/tweet?text\x3d"+(0,window.encodeURIComponent)(window.document.title)+ equals www.twitter.com (Twitter)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.msn.com

URLs found in memory or binary data

Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://24ways.org/2010/calculating-color-contrast
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://chartjs.org/
Source: animate[1].css.34.dr	String found in binary or memory: http://daneden.me/animate
Source: style[1].css.34.dr	String found in binary or memory: http://demos.jeweltheme.com/Sufee-Admin/
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://dev.w3.org/csswg/css-color/#hwb-to-rgb
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://docs.closure-library.googlecode.com/git/closure_goog_date_date.js.source.html
Source: font-awesome.min[1].css.34.dr, fontawesome-webfont[1].eot.34.dr	String found in binary or memory: http://fontawesome.io
Source: font-awesome.min[1].css.34.dr	String found in binary or memory: http://fontawesome.io/license
Source: fontawesome-webfont[1].eot.34.dr	String found in binary or memory: http://fontawesome.io/license/
Source: fontawesome-webfont[1].eot.34.dr	String found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
Source: jquery.vmap[1].js.34.dr	String found in binary or memory: http://jqvmap.com
Source: head.min[1].js.12.dr	String found in binary or memory: http://modernizr.com/download/?-csstransforms-csstransforms3d-csstransitions-flexbox-flexboxlegacy-f
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://momentjs.com/docs/#/displaying/format/
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://momentjs.com/docs/#/get-set/iso-weekday/
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://momentjs.com/docs/#/parsing/string-format/
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://momentjs.com/guides/#/warnings/add-inverted-param/
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://momentjs.com/guides/#/warnings/define-locale/
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://momentjs.com/guides/#/warnings/dst-shifted/
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://momentjs.com/guides/#/warnings/js-date/
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://momentjs.com/guides/#/warnings/min-max/
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://momentjs.com/guides/#/warnings/zone/
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://nnnick.github.io/Chart.js/docs-v2/#scales-time-scale
Source: de-ch[1].htm.7.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.7.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: animate[1].css.34.dr	String found in binary or memory: http://opensource.org/licenses/MIT
Source: popper.min[1].js.34.dr	String found in binary or memory: http://opensource.org/licenses/MIT).
Source: auction[1].htm.7.dr	String found in binary or memory: http://popup.taboola.com/german
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/
Source: imagestore.dat.4.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/favicon.ico
Source: imagestore.dat.4.dr, imagestore.dat.34.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/favicon.ico~
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/css/bootstrap.min.css?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/css/cs-skin-elastic.css?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/css/flag-icon.min.css?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/css/font-awesome.min.css?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/css/lib/vector-map/jqvmap.min.css?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/css/normalize.css?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/css/scss/style.css?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/css/themify-icons.css?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/images/
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/scripts/dashboard.js?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/scripts/lib/chart-js/Chart.bundle.js?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/scripts/lib/vector-map/country/jquery.vmap.world.js?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/scripts/lib/vector-map/jquery.vmap.js?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/scripts/lib/vector-map/jquery.vmap.min.js?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/scripts/lib/vector-map/jquery.vmap.sampledata.js?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/scripts/main.js?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/scripts/plugins.js?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/scripts/vendor/jquery-2.1.4.min.js?1234
Source: UCHp[1].htm.37.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/public/scripts/widgets.js?1234
Source: {92DF17F9-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/uripath/HqAo_2FUT4Xi/etL7dOp10vF/1GZyviLFWjPlf_/2BpAjw1ynkMPMDMMcYEt
Source: {8C619BE6-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/uripath/RgELBgMDUcLhX5wa_2BM/oftXg3zUOP3XNM8SzTE/il9BuzYmJ5GFlNygEzp
Source: rundll32.exe, 00000003.00000003.381489488.0000000000824000.00000004.00000001.sdmp, ~DF011B873B6312514B.TMP.4.dr, {99D19BCE-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/uripath/r_2F625JF8nc/Zl6uqWI71P7/1DbizOipbgp9jM/hoB3nCCm3H0vpt3zAF7Z
Source: {92DF17F7-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: http://qtrweyuiopolkhgbjune.xyz/uripath/rfHWC41tNETdeQWjswyCogx/2GerTeq_2F/pTrbfZqC3HbPx0AC8/8PvaEEy
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://scaledinnovation.com/analytics/splines/aboutSplines.html
Source: picturefill.min[1].js.12.dr	String found in binary or memory: http://scottjehl.github.io/picturefill
Source: {681FC20B-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: plugins[1].js.34.dr	String found in binary or memory: http://simontabor.com/labs/toggles
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://stackoverflow.com/a/14853974
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://stackoverflow.com/questions/181348/instantiating-a-javascript-object-by-calling-prototype-con
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://stackoverflow.com/questions/3561493/is-there-a-regexp-escape-function-in-javascript
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://stackoverflow.com/questions/8506881/nice-label-algorithm-for-charts-with-minimum-ticks
Source: style[1].css.34.dr	String found in binary or memory: http://themeforest.net/user/jewel_theme/portfolio
Source: imagestore.dat.26.dr	String found in binary or memory: http://vhfkffjddyjunekugjtr.xyz/favicon.ico
Source: imagestore.dat.26.dr, imagestore.dat.4.dr	String found in binary or memory: http://vhfkffjddyjunekugjtr.xyz/favicon.ico~
Source: ~DFE02B631E4A1F5FD7.TMP.4.dr, {AEA9A10B-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: http://vhfkffjddyjunekugjtr.xyz/uripath/6vBwf5Sg/63VGZHA406Wp7f7jlCy24r7/UcVh3uhwQE/xWtNLCfmK_2BTsac
Source: ~DFA1C09D42BCEB76DB.TMP.4.dr, {85A98998-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: http://vhfkffjddyjunekugjtr.xyz/uripath/Dpso2yRgb0Dyb/KAn6cCpr/gAmXw5kfG_2Bc9ne1cJuUpm/vIdHSfsVJ8/z1
Source: {8C619BE4-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: http://vhfkffjddyjunekugjtr.xyz/uripath/E2bq2WZHjxXirUql/0j3wLqnWLhS_2FZ/sba7m_2B0uIP2xWYHL/1K7Ue7b7
Source: ~DF5A41C26E9E6D5F33.TMP.4.dr, {85A9899A-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: http://vhfkffjddyjunekugjtr.xyz/uripath/PbAYRrZYAKQJ_2FiZxLfQe/0W3TmhG_2FKNb/HT1zWvSh/WsU1_2F6i0huFY
Source: {7E44528A-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: http://vhfkffjddyjunekugjtr.xyz/uripath/WORqDY6_2BNfZ/KgWjiUUb/r87p6Orp_2Fmh0hHOaxhMMx/ttdOCXkBqo/vy
Source: loaddll32.exe, 00000000.00000002.463206938.00000000024F0000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.464440992.0000000003060000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.463017579.0000000002D40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.464798699.0000000002D60000.00000002.00000001.sdmp	String found in binary or memory: http://vhfkffjddyjunekugjtr.xyz/uripath/m5zigbEwtRm5tbWTabSv7yN/5eir_2B9Vh/aKk3WnUnFcJEuyyua/AR
Source: ~DFED2C91BDCEE80C22.TMP.4.dr, {A740FA18-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: http://vhfkffjddyjunekugjtr.xyz/uripath/m5zigbEwtRm5tbWTabSv7yN/5eir_2B9Vh/aKk3WnUnFcJEuyyua/ARiRkfJ
Source: loaddll32.exe, 00000000.00000002.463206938.00000000024F0000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.464440992.0000000003060000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.463017579.0000000002D40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.464798699.0000000002D60000.00000002.00000001.sdmp	String found in binary or memory: http://vhfkffjddyjunekugjtr.xyz/uripath/sB8E3aa3L/XDVMq5XKI78tf7sk_2Ff/1uvfkmsySV_2FdyZgAj/rQ7f
Source: permission-core.min[1].js.10.dr, webfont[1].js.12.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: style[1].css.34.dr	String found in binary or memory: http://www.gnu.org/licenses/gpl-2.0.html
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://www.html5canvastutorials.com/advanced/html5-canvas-mouse-coordinates/
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://www.nathanaeljones.com/blog/2013/reading-max-width-cross-browser
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://www.paulirish.com/2011/requestanimationframe-for-smart-animating/
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: http://www.robertpenner.com/easing/
Source: gtm[1].js.12.dr	String found in binary or memory: https://adservice.google.com/pagead/regclk
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.7.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: gtm[1].js.12.dr	String found in binary or memory: https://cct.google/taggy/agent.js
Source: index[1].htm.10.dr	String found in binary or memory: https://cdn.cookielaw.org/logos/b1d060cc-fa13-4e1e-8a5e-fd705963d55b/11da4229-abbc-4e04-a16b-72fa8f1
Source: index[1].htm.10.dr	String found in binary or memory: https://cdn.cookielaw.org/logos/b1d060cc-fa13-4e1e-8a5e-fd705963d55b/662e5c67-1d13-450e-90e2-8ba98fb
Source: index[1].htm.10.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: UCHp[1].htm.37.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.3/umd/popper.min.js
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: {681FC20B-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {681FC20B-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {681FC20B-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/CSS/used_value
Source: index[1].htm.10.dr	String found in binary or memory: https://dl.1und1.de/permission/oneTrust/
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://dl.dropboxusercontent.com/u/34601363/toomuchscience.gif
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://dl.dropboxusercontent.com/u/34601363/yeahscience.gif
Source: index[1].htm.10.dr	String found in binary or memory: https://dl.gmx.at/permission/oneTrust/
Source: index[1].htm.10.dr	String found in binary or memory: https://dl.gmx.ch/permission/oneTrust/
Source: index[1].htm.10.dr	String found in binary or memory: https://dl.gmx.co.uk/permission/oneTrust/
Source: index[1].htm.10.dr	String found in binary or memory: https://dl.gmx.com/permission/oneTrust/
Source: index[1].htm.10.dr	String found in binary or memory: https://dl.gmx.es/permission/oneTrust/
Source: index[1].htm.10.dr	String found in binary or memory: https://dl.gmx.fr/permission/oneTrust/
Source: index[1].htm.10.dr	String found in binary or memory: https://dl.gmx.net/permission/oneTrust/
Source: consentpage[1].htm.10.dr	String found in binary or memory: https://dl.mail.com/permission/live/v1/ppp/js/permission-client.js
Source: index[1].htm.10.dr	String found in binary or memory: https://dl.mail.com/permission/oneTrust/
Source: consentpage[1].htm.10.dr	String found in binary or memory: https://dl.mail.com/tcf/live/v1/js/tcf-api.js
Source: index[1].htm.10.dr	String found in binary or memory: https://dl.web.de/permission/oneTrust/
Source: index[1].htm.10.dr	String found in binary or memory: https://fonts.googleapis.com/css2?family=Roboto:ital
Source: index[1].htm.10.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Droid
Source: UCHp[1].htm.37.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: css[1].css.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/droidsans/v12/SlGVmQWMvZQIdix7AFxXkHNSaw.woff)
Source: css[1].css.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/droidsans/v12/SlGWmQWMvZQIdix7AFxXmMh3eDs1YQ.woff)
Source: css[1].css.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/droidserif/v13/tDbK2oqRg1oM3QBjjcaDkOr4nAfcGA.woff)
Source: css[1].css.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/droidserif/v13/tDbX2oqRg1oM3QBjjcaDkOr4lLz5CwOnTg.woff)
Source: css[1].css.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/monda/v11/TK3gWkYFABsmjsLaGw8Enew.woff)
Source: css[1].css.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/monda/v11/TK3tWkYFABsmjsphPhw.woff)
Source: css[1].css.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v20/mem5YaGs126MiZpBA-UN7rgOUuhv.woff)
Source: css[1].css.34.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v20/mem5YaGs126MiZpBA-UN8rsOUuhv.woff)
Source: css[1].css.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v20/mem5YaGs126MiZpBA-UN_r8OUuhv.woff)
Source: css[1].css.34.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v20/mem5YaGs126MiZpBA-UNirkOUuhv.woff)
Source: css[1].css.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v20/mem8YaGs126MiZpBA-UFVZ0d.woff)
Source: css[1].css.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/shadowsintolight/v10/UqyNK9UOIntux_czAvDQx_ZcHqZXBNQzdcD_.woff)
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: plugins[1].js.34.dr, bootstrap.min[1].css.34.dr	String found in binary or memory: https://getbootstrap.com)
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://gist.github.com/nnnick/696cc9c55f4b0beb8fe9
Source: url-polyfill[1].js.10.dr	String found in binary or memory: https://github.com/WebReflection/url-search-params/blob/master/src/url-search-params.js
Source: url-polyfill[1].js.10.dr	String found in binary or memory: https://github.com/arv/DOM-URL-Polyfill/blob/master/src/url.js
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://github.com/chartjs/Chart.js/blob/master/LICENSE.md
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://github.com/chartjs/Chart.js/issues/2210
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://github.com/chartjs/Chart.js/issues/2435#issuecomment-216718158
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://github.com/chartjs/Chart.js/issues/2538
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://github.com/chartjs/Chart.js/issues/2807
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://github.com/chartjs/Chart.js/issues/3090
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://github.com/chartjs/Chart.js/issues/3521
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://github.com/chartjs/Chart.js/issues/3575
Source: plugins[1].js.34.dr	String found in binary or memory: https://github.com/ded/bonzo
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://github.com/dordille/moment-isoduration/blob/master/moment.isoduration.js
Source: bundle.min[1].js.10.dr	String found in binary or memory: https://github.com/getsentry/sentry-javascript
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://github.com/kkapsner/CanvasBlocker
Source: jquery.vmap[1].js.34.dr	String found in binary or memory: https://github.com/manifestinteractive/jqvmap/blob/master/LICENSE
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://github.com/moment/moment/issues/1423
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://github.com/moment/moment/issues/2166
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://github.com/moment/moment/issues/2978
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://github.com/moment/moment/pull/1871
Source: animate[1].css.34.dr	String found in binary or memory: https://github.com/nickpettit/glide
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://github.com/sass/libsass/blob/0e6b4a2850092356aa3ece07c6b249f0221caced/functions.cpp#L209
Source: picturefill.min[1].js.12.dr	String found in binary or memory: https://github.com/scottjehl/picturefill/blob/master/Authors.txt;
Source: plugins[1].js.34.dr	String found in binary or memory: https://github.com/simontabor/jquery-toggles
Source: plugins[1].js.34.dr, bootstrap.min[1].css.34.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: plugins[1].js.34.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: auction[1].htm.7.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: core[1].htm.10.dr	String found in binary or memory: https://img.ui-portal.de/pos-cdn/tracklib/4.3.0/polyfills.min.js
Source: core[1].htm.10.dr	String found in binary or memory: https://img.ui-portal.de/pos-cdn/tracklib/4.3.0/tracklib.min.js
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1623239467&rver
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1623239467&rver=7.0.6730.0&am
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1623239468&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1623239467&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: YKaqn[1].htm.10.dr	String found in binary or memory: https://mail.com/uripath/fcbslbaQpLGER/anAUxx7k/P6qNRF5XQyAjAahpDrcIJV_/2BFr8ewDzH/kQKcuAEadNq8bnSP3
Source: index[1].htm.10.dr	String found in binary or memory: https://mam-confluence.1and1.com/display/TDII/BRAIN-Tracking
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://momentjs.com
Source: index[1].htm.10.dr	String found in binary or memory: https://my.onetrust.com/s/article/UUID-185d63b9-1094-a9d3-e684-bb1f155ae6ad
Source: index[1].htm.10.dr	String found in binary or memory: https://nct.ui-portal.de/
Source: Chart.bundle[1].js.34.dr	String found in binary or memory: https://nodejs.org/dist/latest/docs/api/util.html#util_custom_inspect_function_on_objects
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: gtm[1].js.12.dr	String found in binary or memory: https://pagead2.googlesyndication.com
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: potec.core.min[1].js.12.dr	String found in binary or memory: https://popup.taboola.com/
Source: {681FC20B-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: rundll32.exe, 00000006.00000003.272823818.0000000004A5A000.00000004.00000040.sdmp	String found in binary or memory: https://s.uicdn.com/mailint/9.1693.0/
Source: consentpage[1].htm.10.dr	String found in binary or memory: https://s.uicdn.com/mailint/9.1693.0/assets/consent/consent-management.js
Source: consentpage[1].htm.10.dr	String found in binary or memory: https://s.uicdn.com/mailint/9.1693.0/assets/consent/mailcom/spinner.gif
Source: consentpage[1].htm.10.dr	String found in binary or memory: https://s.uicdn.com/mailint/9.1693.0/assets/consent/mailcom/styles.css
Source: consentpage[1].htm.10.dr	String found in binary or memory: https://s.uicdn.com/mailint/9.1693.0/assets/consent/main.js
Source: consentpage[1].htm.10.dr	String found in binary or memory: https://s.uicdn.com/mailint/9.1693.0/assets/favicon.ico
Source: imagestore.dat.4.dr, imagestore.dat.10.dr	String found in binary or memory: https://s.uicdn.com/mailint/9.1693.0/assets/favicon.ico~
Source: rundll32.exe, 00000006.00000003.272823818.0000000004A5A000.00000004.00000040.sdmp	String found in binary or memory: https://s.uicdn.com/mailint/9.1693.0/assets/potec.core.min.js
Source: index[1].htm.10.dr	String found in binary or memory: https://s.uicdn.com/permission/
Source: core[1].htm.10.dr	String found in binary or memory: https://s.uicdn.com/permission/live/v1/ppp/js/polyfills/promise.min.js
Source: core[1].htm.10.dr	String found in binary or memory: https://s.uicdn.com/permission/live/v1/ppp/js/polyfills/url-polyfill.js
Source: index[1].htm.10.dr, core[1].htm.10.dr	String found in binary or memory: https://s.uicdn.com/shared/sentry/5.5.0/bundle.min.js
Source: index[1].htm.10.dr	String found in binary or memory: https://s.uicdn.com/tcf/
Source: core[1].htm.10.dr	String found in binary or memory: https://s.uicdn.com/tcf/live/v1/js/tcf-api.js
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKRicY.img?h=368&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXITZ.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: url-polyfill[1].js.10.dr	String found in binary or memory: https://url.spec.whatwg.org/#urlencoded-serializing
Source: webfont[1].js.12.dr	String found in binary or memory: https://use.typekit.net
Source: main[1].js.10.dr	String found in binary or memory: https://wa.mail.com/1and1/mailcom/s?_c=0&name=
Source: rundll32.exe, 00000006.00000003.272823818.0000000004A5A000.00000004.00000040.sdmp	String found in binary or memory: https://wa.ui-portal.de/opt-out-transfer/mailcom/
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.7.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: gtm[1].js.12.dr	String found in binary or memory: https://www.google.com
Source: gtm[1].js.12.dr	String found in binary or memory: https://www.google.com/pagead/conversion_async.js
Source: gtm[1].js.12.dr	String found in binary or memory: https://www.googletagmanager.com/a?id=
Source: gtm[1].js.12.dr	String found in binary or memory: https://www.googletagmanager.com/debug/bootstrap
Source: regsvr32.exe, 00000002.00000002.463903022.0000000002D6A000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.332982213.00000000007DC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: rundll32.exe, 00000003.00000003.332982213.00000000007DC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-KF5RH5
Source: consentpage[1].htm.10.dr	String found in binary or memory: https://www.mail.com/
Source: ~DFD457134BEF5C6857.TMP.4.dr	String found in binary or memory: https://www.mail.com/consentpage
Source: consentpage[1].htm.10.dr	String found in binary or memory: https://www.mail.com/consentpage/event/error
Source: consentpage[1].htm.10.dr	String found in binary or memory: https://www.mail.com/consentpage/event/visit
Source: {74AA983F-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr, ~DFD457134BEF5C6857.TMP.4.dr	String found in binary or memory: https://www.mail.com/consentpagebaQpLGER/anAUxx7k/P6qNRF5XQyAjAahpDrcIJV_/2BFr8ewDzH/kQKcuAEadNq8bnS
Source: {74AA983F-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: https://www.mail.com/cripath/fcbslbaQpLGER/anAUxx7k/P6qNRF5XQyAjAahpDrcIJV_/2BFr8ewDzH/kQKcuAEadNq8b
Source: {7E445288-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr, yrN363[1].htm.17.dr	String found in binary or memory: https://www.mail.com/uripath/12SHC3_2FBERODgxutp5ML/h7utXbstT4Ep7/tbKUvb_2/F06w2Xjt9I7odZkyOw0z07K/e
Source: {74AA9841-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr, gkYq_2By[1].htm.12.dr	String found in binary or memory: https://www.mail.com/uripath/6cPXuQdL_2BmDgfuO/pks3Rg5BYm99/NE64NorVqJ3/4HdH4Xej03hXYE/fc5_2FPChCXBm
Source: rundll32.exe, 00000003.00000002.461870715.00000000007AA000.00000004.00000020.sdmp, ~DFEE7F5527A8D06C31.TMP.4.dr, VzH[1].htm.47.dr, {A740FA16-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: https://www.mail.com/uripath/DB9ETgXe6nwyQsstGrZ/GV_2FFW_2BzS4Z3lw7WHHl/_2FgrzesS8kWd/kKmXQKz_/2Bu6B
Source: ~DF2C771EA764097EE3.TMP.4.dr, {A040EB81-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr, Jg[1].htm.41.dr	String found in binary or memory: https://www.mail.com/uripath/OersxYGC1SBjxc/LW_2Bp2dLyOb9ZJM5v2Fy/bzlJFMQzf27i5Kjw/yFJs3AzMzBXQHGu/a
Source: {74AA9843-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr, M[1].htm.15.dr	String found in binary or memory: https://www.mail.com/uripath/TeEj1Iq9En1ZXKj/EKPMedyL8nddy77gww/6odfYHOQ7/_2BOnFrfDJeq5HEFYDz3/Klylh
Source: YKaqn[1].htm0.10.dr, {74AA983F-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr, ~DFD457134BEF5C6857.TMP.4.dr	String found in binary or memory: https://www.mail.com/uripath/fcbslbaQpLGER/anAUxx7k/P6qNRF5XQyAjAahpDrcIJV_/2BFr8ewDzH/kQKcuAEadNq8b
Source: ~DF187A042C6181816E.TMP.4.dr, {99D19BD0-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr, 6ip3Jv[1].htm.40.dr	String found in binary or memory: https://www.mail.com/uripath/nSUXVVUM3QAYcgF_2B2Ea/adTih7WzsdeZ450I/pRQFCIZuMLtQrCY/n_2FpSC_2FEou7z1
Source: ~DF0BD758AF73A6D6E6.TMP.4.dr, {A040EB83-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr, PUpt[1].htm.43.dr	String found in binary or memory: https://www.mail.com/uripath/oyaVX4nPKMnFDPqr7GVs/yF75i8SNoL6_2FQyJ9C/eZEN1CgzwncaTW6N_2Bd7I/W0GAon4
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {681FC20B-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: {681FC20B-C964-11EB-90E4-ECF4BB862DED}.dat.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpq
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/showdown-um-ahv-nationalrat-beschliesst-frauenrentenal
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/nur-der-hauptt%c3%a4ter-macht-vor-gericht-noch-aus
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/sollen-sich-unfallverursacher-um-ein-verletztes-re
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/wie-weit-darf-f%c3%bcrsorge-gehen-eine-frau-im-z%c
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/zwei-geldautomaten-in-winterthur-gesprengt-und-wei
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ab-juli-braucht-es-f%c3%bcrs-z%c3%bcrcher-nachtnetz-keinen-zusc
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/europas-st%c3%a4dte-verlieren-durch-corona-deutlich-an-attrakti
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/mit-seinen-dokfilmen-hat-er-virale-hits-geschaffen/ar-AAKQZ6z?o
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/platz-da/ar-AAKRqAp?ocid=hplocalnews
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/r%c3%a4uber-jagen-bancomaten-in-winterthur-in-die-luft/ar-AAKQS
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/strafuntersuchung-gegen-f%c3%bcnf-z%c3%bcrcher-polizisten/ar-AA
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.7.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.7.dr	String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: potec.core.min[1].js.12.dr	String found in binary or memory: https://www.youtube.com/embed/SrLZgP-OR6s

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49878 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49890 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49891 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49899 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49900 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49903 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49906 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49905 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49918 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.3:49919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.3:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49927 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.3:49926 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49929 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.3:49928 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.260584112.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249635559.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249696219.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249777880.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284826529.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284690963.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249660130.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249753851.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272735904.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284735463.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272805771.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284547923.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260702857.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249724023.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284650338.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260762018.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260731309.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272676877.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260746216.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260616194.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249799539.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260642234.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284793748.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249611733.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272653487.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284765352.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272751791.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272698797.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272719921.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272625034.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284839420.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260666141.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5972, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5988, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6012, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4092, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.260584112.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249635559.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249696219.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249777880.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284826529.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284690963.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249660130.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249753851.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272735904.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284735463.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272805771.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284547923.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260702857.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249724023.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284650338.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260762018.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260731309.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272676877.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260746216.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260616194.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249799539.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260642234.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284793748.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249611733.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272653487.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284765352.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272751791.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272698797.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272719921.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272625034.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284839420.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260666141.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5972, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5988, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6012, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4092, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001F14 NtMapViewOfSection,		0_2_10001F14
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100015F1 GetProcAddress,NtCreateSection,memset,		0_2_100015F1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100023A5 NtQueryVirtualMemory,		0_2_100023A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01721168 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		0_2_01721168
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0172B2F1 NtQueryVirtualMemory,		0_2_0172B2F1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00AD1168 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		2_2_00AD1168
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00ADB2F1 NtQueryVirtualMemory,		2_2_00ADB2F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04251168 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		3_2_04251168
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425B2F1 NtQueryVirtualMemory,		3_2_0425B2F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_029B1168 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		6_2_029B1168
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_029BB2F1 NtQueryVirtualMemory,		6_2_029BB2F1

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002184		0_2_10002184
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0172696A		0_2_0172696A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01721B6A		0_2_01721B6A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0172B0CC		0_2_0172B0CC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00ADB0CC		2_2_00ADB0CC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00AD696A		2_2_00AD696A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00AD1B6A		2_2_00AD1B6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425B0CC		3_2_0425B0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425696A		3_2_0425696A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04251B6A		3_2_04251B6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_029BB0CC		6_2_029BB0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_029B696A		6_2_029B696A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_029B1B6A		6_2_029B1B6A

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: 2ff0174.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: 2ff0174.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal80.troj.winDLL@49/256@64/10

Contains functionality to enum processes or threads

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_01727F56 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_01727F56

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFC1AEEBFBC1E9000C.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: 2ff0174.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Runs a DLL by calling functions

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2ff0174.dll',#1

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2ff0174.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2ff0174.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2ff0174.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2ff0174.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2ff0174.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:82948 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17440 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17446 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17452 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17456 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17464 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17472 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17482 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17488 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:83026 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17500 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:83040 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17514 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17520 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17524 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17530 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17534 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:83092 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2ff0174.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2ff0174.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2ff0174.dll,DllRegisterServer			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2ff0174.dll',#1			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17410 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:82948 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17440 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17446 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17452 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17456 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17464 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17472 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17482 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17488 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:83026 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17500 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:83040 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17514 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17520 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17524 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17530 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:17534 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5920 CREDAT:83092 /prefetch:2			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100017FA LoadLibraryA,GetProcAddress,

0_2_100017FA

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2ff0174.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002120 push ecx; ret		0_2_10002129
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002173 push ecx; ret		0_2_10002183
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0172AD00 push ecx; ret		0_2_0172AD09
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0172B0BB push ecx; ret		0_2_0172B0CB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00ADB0BB push ecx; ret		2_2_00ADB0CB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00ADAD00 push ecx; ret		2_2_00ADAD09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425B0BB push ecx; ret		3_2_0425B0CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425AD00 push ecx; ret		3_2_0425AD09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_029BB0BB push ecx; ret		6_2_029BB0CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_029BAD00 push ecx; ret		6_2_029BAD09

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.260584112.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249635559.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249696219.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249777880.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284826529.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284690963.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249660130.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249753851.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272735904.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284735463.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272805771.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284547923.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260702857.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249724023.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284650338.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260762018.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260731309.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272676877.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260746216.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260616194.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249799539.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260642234.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284793748.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249611733.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272653487.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284765352.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272751791.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272698797.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272719921.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272625034.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284839420.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260666141.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5972, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5988, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6012, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4092, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2416

Thread sleep time: -1667865539s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01724C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_01724C3B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00AD4C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_00AD4C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04254C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		3_2_04254C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_029B4C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		6_2_029B4C3B

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100017FA LoadLibraryA,GetProcAddress,

0_2_100017FA

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2ff0174.dll',#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000002.463206938.00000000024F0000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.464440992.0000000003060000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.463017579.0000000002D40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.464798699.0000000002D60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.463206938.00000000024F0000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.464440992.0000000003060000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.463017579.0000000002D40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.464798699.0000000002D60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.463206938.00000000024F0000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.464440992.0000000003060000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.463017579.0000000002D40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.464798699.0000000002D60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.463206938.00000000024F0000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.464440992.0000000003060000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.463017579.0000000002D40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.464798699.0000000002D60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_01722D6E cpuid

0_2_01722D6E

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001237 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

0_2_10001237

Contains functionality to query the account / user name

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_01722D6E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_01722D6E

Contains functionality to query windows version

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001CDD CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_10001CDD

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.260584112.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249635559.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249696219.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249777880.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284826529.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284690963.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249660130.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249753851.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272735904.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284735463.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272805771.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284547923.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260702857.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249724023.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284650338.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260762018.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260731309.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272676877.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260746216.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260616194.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249799539.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260642234.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284793748.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249611733.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272653487.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284765352.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272751791.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272698797.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272719921.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272625034.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284839420.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260666141.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5972, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5988, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6012, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4092, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.260584112.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249635559.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249696219.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249777880.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284826529.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284690963.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249660130.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249753851.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272735904.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284735463.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272805771.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284547923.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260702857.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249724023.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284650338.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260762018.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260731309.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272676877.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260746216.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260616194.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249799539.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260642234.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284793748.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.249611733.0000000005058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272653487.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284765352.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272751791.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272698797.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272719921.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.272625034.0000000004A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.284839420.0000000004C98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.260666141.0000000002148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5972, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5988, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6012, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4092, type: MEMORY