Windows Analysis Report YfDl.bin

Overview

General Information

Sample Name:	YfDl.bin (renamed file extension from bin to dll)
Analysis ID:	457500
MD5:	499200f6a8e223c057c6e16701740721
SHA1:	ef46f9c62b94715b750173074c51100285ff6fe9
SHA256:	d7e64f8e65ce586ce2f0a857810b2a23f85140bf5e52e5a824f09787fb2bf45e
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Ursnif

Creates an undocumented autostart registry key

Found stalling execution ending in API Sleep call

Writes or reads registry keys via WMI

Writes registry values via WMI

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file contains strange resources

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: YfDl.dll	Virustotal: Detection: 68%	Perma Link
Source: YfDl.dll	Metadefender: Detection: 48%	Perma Link
Source: YfDl.dll	ReversingLabs: Detection: 67%

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.regsvr32.exe.10000000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 4.2.rundll32.exe.10000000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.10000000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

Uses 32bit PE files

Source: YfDl.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.3:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.3:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49752 version: TLS 1.2

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49764 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49764 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49765 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49765 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49766 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49766 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49767 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49767 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49768 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49768 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49769 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49769 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49770 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49770 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49773 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49773 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49775 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49777 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49777 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49778 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49779 -> 162.255.119.73:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49782 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49793 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49793 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49795 -> 162.255.119.73:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49794 -> 162.255.119.73:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49794 -> 162.255.119.73:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49797 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49796 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49796 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49798 -> 162.255.119.245:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49801 -> 198.54.117.211:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49805 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49806 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49806 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49807 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49807 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49809 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49809 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49810 -> 162.255.119.73:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49810 -> 162.255.119.73:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49813 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49813 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49812 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49812 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49814 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49814 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49815 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49815 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49816 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49816 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49817 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49817 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49820 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49820 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49822 -> 162.255.119.245:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49822 -> 162.255.119.245:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49825 -> 198.54.117.217:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49825 -> 198.54.117.217:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49827 -> 162.255.119.73:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49829 -> 198.54.117.217:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49831 -> 195.110.59.2:80

Source: global traffic	HTTP traffic detected: GET /jdraw/eWbkeEy29Mk9inNA7c/ATuO3Prha/DtolimWlXpnk8nFP0lSw/2yNlaC5cCiMklCCNwvu/sQNUZO_2Fm1xZzA1gS_2FG/9kTrosYW0_2Fm/VKROzRO8/gAsB4lDIAfyynMPz_2BNLur/ogiNTGjuy5/h8pifSL4zzmkbAEY1/43YSZu3Y6Aaj/v_2BXUswAoj/3H8D7Kh5Eubf1gg9Yf/HP.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/eWbkeEy29Mk9inNA7c/ATuO3Prha/DtolimWlXpnk8nFP0lSw/2yNlaC5cCiMklCCNwvu/sQNUZO_2Fm1xZzA1gS_2FG/9kTrosYW0_2Fm/VKROzRO8/gAsB4lDIAfyynMPz_2BNLur/ogiNTGjuy5/h8pifSL4zzmkbAEY1/43YSZu3Y6Aaj/v_2BXUswAoj/3H8D7Kh5Eubf1gg9Yf/HP.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/eWbkeEy29Mk9inNA7c/ATuO3Prha/DtolimWlXpnk8nFP0lSw/2yNlaC5cCiMklCCNwvu/sQNUZO_2Fm1xZzA1gS_2FG/9kTrosYW0_2Fm/VKROzRO8/gAsB4lDIAfyynMPz_2BNLur/ogiNTGjuy5/h8pifSL4zzmkbAEY1/43YSZu3Y6Aaj/v_2BXUswAoj/3H8D7Kh5Eubf1gg9Yf/HP.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/eWbkeEy29Mk9inNA7c/ATuO3Prha/DtolimWlXpnk8nFP0lSw/2yNlaC5cCiMklCCNwvu/sQNUZO_2Fm1xZzA1gS_2FG/9kTrosYW0_2Fm/VKROzRO8/gAsB4lDIAfyynMPz_2BNLur/ogiNTGjuy5/h8pifSL4zzmkbAEY1/43YSZu3Y6Aaj/v_2BXUswAoj/3H8D7Kh5Eubf1gg9Yf/HP.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/eWbkeEy29Mk9inNA7c/ATuO3Prha/DtolimWlXpnk8nFP0lSw/2yNlaC5cCiMklCCNwvu/sQNUZO_2Fm1xZzA1gS_2FG/9kTrosYW0_2Fm/VKROzRO8/gAsB4lDIAfyynMPz_2BNLur/ogiNTGjuy5/h8pifSL4zzmkbAEY1/43YSZu3Y6Aaj/v_2BXUswAoj/3H8D7Kh5Eubf1gg9Yf/HP.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/eWbkeEy29Mk9inNA7c/ATuO3Prha/DtolimWlXpnk8nFP0lSw/2yNlaC5cCiMklCCNwvu/sQNUZO_2Fm1xZzA1gS_2FG/9kTrosYW0_2Fm/VKROzRO8/gAsB4lDIAfyynMPz_2BNLur/ogiNTGjuy5/h8pifSL4zzmkbAEY1/43YSZu3Y6Aaj/v_2BXUswAoj/3H8D7Kh5Eubf1gg9Yf/HP.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/eWbkeEy29Mk9inNA7c/ATuO3Prha/DtolimWlXpnk8nFP0lSw/2yNlaC5cCiMklCCNwvu/sQNUZO_2Fm1xZzA1gS_2FG/9kTrosYW0_2Fm/VKROzRO8/gAsB4lDIAfyynMPz_2BNLur/ogiNTGjuy5/h8pifSL4zzmkbAEY1/43YSZu3Y6Aaj/v_2BXUswAoj/3H8D7Kh5Eubf1gg9Yf/HP.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/AZ9j6FN_2FTyei6/Zf0uCNl_2FdnsseDLQ/aAlru6mfg/_2BxJ18hXN8l3o6HRZtg/iMkRHAWOXQH7Sonii2y/ZUDDqy42horX1ipsJquAAp/PE_2BV88LYzPh/_2BwspqN/QHL0gRAjrGmh0Ze8EXmvwJx/w8RwH_2Fv_/2FEesIeaXL2YGMyBr/PGDsr7HWeSeF/e3J46D1VO9zlgcp/85Zp5.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/p8BTc7rmN9rFz/dvVilNn8/1u0hUUFj3rLKVzUph9HCH9E/7PtciZB2lc/xpKpNIjlUqwM7Qoac/vY0xEhkDTdYg/zhCk8i_2Bc_/2BlBoMsKptZ_2F/zRnhMePPGQCsqYLwQD3Ue/lgSW5rDODttJ7i78/1NWLOGS4u6LI4sn/Z_2F736jFES7IEU0n1/BASM_2F10/Djh4bcFW/rXwgDHJ.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/exPqHXDWoHjGDSQp9Aa/A_2B2jfV7Yu2z_2F81zrpc/4Hw3JjoG2C8FN/up0W_2Bg/2cOat_2FhB8XpeJI3Q4OrPd/3mcscxr_2F/XUcES9vbQCWR_2B2J/uVjKr_2FUQUP/ppEuzTVHGdh/cpJRHYjRekTIXI/zfM7YD6vGfq08eHNZhWho/thDyCd6IXfvgcRaJ/JjtQarSthDB/50HgVr4R/Z.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/KzfCuU1nYQ/2jKJWMeBiltqUkBZk/bJHRs3aRSUlv/cI63tiCHI_2/F5uaZGCIn42HAA/37yNTKIJLuVjIBN3j61BH/f_2F7jKyVaT3WSHP/Idyt_2BFxwVV7Ez/wF0a5CSrL3svyQDzt7/z5kTlRVsI/o_2BijKkihsvPwp7ObK8/nGfEqkF_2BV9O_2BYHe/y7YIFWRDvDFDsnXQU1dk4w/ugyqJTKGN21dPtrvVHSLW/X.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/eNEjgfypiWX/qzBN0pjHkXaIJy/uSQAHTqmu7LUbuntarKiK/xwqbRspQk1D8qp6M/HWl7bj_2FWhMbP8/Uujd82PrM7mxT3Qzg0/MWYHS6cay/F6rvctGR9QcGUIn_2BcA/FoElIX9k6apV8hveoXo/zNk4xAZcRLb7MRvJXwEutR/loIAT32m6_2BY/8Nz5PjSgzU6nn7nO/fTwM.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: allianceline.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/PjuRunwYj4Bhvxk9T/FkaG6F1W0LAq/7ctDH_2F3Sg/7ugfKJqoxNQwsg/2ypZ1ap9U9TAmPNK3Mj4E/1tkWj6xiOwNb06Ci/nMiIDTqZjqNR3Sl/Be2FTUJy9LUIgqGDgy/uKg22hRQ4/Py3DVyO8YWF3rk9X3HQr/yNaCoWiag_2BmQ7jPMJ/8l4YPxQA8wBHHEka2W3QS6/U7.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/_2Fgi_2F0q9mbLIMOTyI/MSZHR0hHa_2BmeQiSR3/W8oggZpI5myExagD6_2BTj/ey2UGr7NbceZG/WQBy5MHE/7qXKpRH7zu077im_2F1dGJV/DbKkDe7jsz/yWoZjzp1UojMkJrXW/XsiPUNe_2BZ8/DIfEiNMAFM1/A0a2dGIo685cVI/iUyIhZAYyWsoPEjMSHZWX/6iyEp102eL/_2F_2FrX.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/4trhqHpiyJW/gPL61gbH3V3gm2/GiN8WmuvnoRNfvQO06HHD/TolcFVz_2FK8ZYP2/IZQ72utUu8FkRq_/2F067OV_2FLlPUB9yd/i0sqdLKlL/TufDKlZhewFrgjSOjZoV/kw8l6gL0iujBb8tryKS/RGvMacSQhLHBDOTrqNLG4m/uP_2BKAulmZfa/zQq7CHkj/_2F1r9d83Jng_2Fktvq5Alz/Ls6WH3GEdzGxn/iTBX.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: allianceline.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/_2FYs4QtMw9_2FVqLpLk2/u2LhzC7LFlqce_2B/EJ5CkL6CyTor06H/h9Yb_2BSjV6Rt1SZIu/4F9iSiMa_/2FMSVlcf9Qu31roXh0J1/XT62QjG3DHbjtCzAO_2/B_2BsPQzjxGsde0UbMxPHp/SJcz88c_2Fs5k/867jz4YW/Gav8pspEQfvIQYY_2FHZoiA/PuUT_2Brpo/dSi_2Fsd7qdqVkqsa/uXH9U_2BtkCW/nt_2FeA79Sp7/ATp1A.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: allianceline.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/_2FrlUhAClUiRyd8MwHtotk/I15TfspZAu/z01In076RAgynlo0F/aYBbR51uD1ML/uqQjbpxmeKc/L1amjLGDxOxIiq/2XLubSbffIPK0HbrHa2Lp/bjwJ7voTFzEKCY0F/aF6dVKQS112UAXS/aj4vTb6dDSsIFCUQVZ/qIZSdMQKF/8UI5q4eMPwG_2F8fIXwq/rx107CtEv/H.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/Rb3_2FHxtxhMSM8zm/gYEt3B3r9PE_/2FfL3q236io/GFNEH8CEcSGt3Q/Xgu6vIh5KIqx2S1Mrc6dl/0kCNyz0GTV6jaECQ/HiARcYhZ2Mqz_2B/BvbQ_2BHUEEnwRiksm/RXQ1zWOs_/2FRb8_2BzO0AkhcyX4o0/Pn9DN_2FJYMQOU8vTzr/Vm4hzNy1B7dqRs9x0qSEE3/RgCr9ZktG/Z3C.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/i1UnGotMRZpYX5QI846/jmFIJI_2FNDz7pkL8TrBB5/fMotNSc0eJn6p/utqPXHuH/Wff27J_2FTjxId_2BES1z1r/M_2BkcXpyD/K_2FeY_2Bil3S_2FY/RBcu0ZtIeP_2/BPxc89E_2Bx/cUqugMTx_2BnBm/1nG_2BlJjtyEolJ_2BuVW/_2BuzYeRQBwowEX3/QOcwkE8Q_2Bp3En/Z4CKv0N41kvf6/f6QDpp.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/i1UnGotMRZpYX5QI846/jmFIJI_2FNDz7pkL8TrBB5/fMotNSc0eJn6p/utqPXHuH/Wff27J_2FTjxId_2BES1z1r/M_2BkcXpyD/K_2FeY_2Bil3S_2FY/RBcu0ZtIeP_2/BPxc89E_2Bx/cUqugMTx_2BnBm/1nG_2BlJjtyEolJ_2BuVW/_2BuzYeRQBwowEX3/QOcwkE8Q_2Bp3En/Z4CKv0N41kvf6/f6QDpp.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/b812tUOw/5vOcsr2Qa7HjSQYaeUGfQDe/A8EgAMSWJM/_2FFmfetjQhRMnISV/eMe6aV6DLPBS/5MYu1aKdFNE/STasrOKiCBmv9X/eiZjDwcFHXNTS7hX6rpF6/PjKZwXlQvviQeyWd/_2BR0w7G5Pjv7Hi/LDxSArAenBlCjPFdb5/ZsL4oU8fF/CiH6rXpAguptoVX1zeJh/bT.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/i1UnGotMRZpYX5QI846/jmFIJI_2FNDz7pkL8TrBB5/fMotNSc0eJn6p/utqPXHuH/Wff27J_2FTjxId_2BES1z1r/M_2BkcXpyD/K_2FeY_2Bil3S_2FY/RBcu0ZtIeP_2/BPxc89E_2Bx/cUqugMTx_2BnBm/1nG_2BlJjtyEolJ_2BuVW/_2BuzYeRQBwowEX3/QOcwkE8Q_2Bp3En/Z4CKv0N41kvf6/f6QDpp.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/dLL7q72MwgF/_2BKoRFjbhgJAS/vzNzOQYcs22fS9PZmGiqk/ImBn4ZbMkjp0c79n/fXFEqaYEWVKY_2F/_2FJyGoOXr4VTVC0eg/LUPZCf_2B/C1_2BlEDEf8ijbPT3XDP/4GbLjdNj_2Ft1xIX937/olnPKLY6LOBYxvJBmWK5iG/ofDL9uajZoReh/gnTfiCz_/2FJnM9VsOUm_2FxBFWygfHA/WN_2FWTfKr/cGyLVu_2BuD/D0vz.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: allianceline.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/T1Oye5dXOyO7X2/W2Jf88M5e37Kz6KOh7AdL/wY5JZWvpnXF42vVg/l7s4mKoV_2FqPNE/dhTHk84TOdHYwxXQ3F/ZDAxuudp3/D1Qs8omUsHmDB_2FVyG9/fdORbAiNcjwPXWrQQ0O/25Y_2BweBhA69miE0hz3Mk/RqfVs38U7EbR6/7NRpQCUV/WpJhqepI5X3UmOUCA7tjaJ_/2FPWDLDzx0/6EjYsFZMbGs/q1m.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.alliancer.bar
Source: global traffic	HTTP traffic detected: GET /jdraw/6t2TJPVp8r4_2Fuvh2KKhY/8YV_2B_2BRJ82/6nGE2eYA/7HHAwpkhVWuf8lW4yXxIq9d/P3s_2FZHKD/oMUCAMgfPleHjs4l4/0BIh2qxT_2F_/2BqGTGuBqqr/qMuHIfbg722ygV/LdYTIqTAwZMOjKPe_2BwH/och7PytHC76QFgMR/zdGw0_2FoGJ7HxL/0oDAmIcPbJn2gUolv1/8hw0Ffgg.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.alliancer.bar
Source: global traffic	HTTP traffic detected: GET /jdraw/cryAR_2BXe/tfZsZbCTIFSKEc_2F/fRFkFMDrwQ2J/nrfzPEYzAHe/Wx7an4ijbM8zE_/2FhpezUV4yO_2FfukN7U6/uBGYkZ4E31D33UZI/2HgOfw9U8TtlGcU/RO3AW2pv4UBCdojWiG/XAiw8U4II/LFIW7fzb6NeZ11ktdY_2/BmSX_2BpD6QEHKNSkw3/GsrABMXgDqbSFWjB/BiqFiS.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: allianceline.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/cryAR_2BXe/tfZsZbCTIFSKEc_2F/fRFkFMDrwQ2J/nrfzPEYzAHe/Wx7an4ijbM8zE_/2FhpezUV4yO_2FfukN7U6/uBGYkZ4E31D33UZI/2HgOfw9U8TtlGcU/RO3AW2pv4UBCdojWiG/XAiw8U4II/LFIW7fzb6NeZ11ktdY_2/BmSX_2BpD6QEHKNSkw3/GsrABMXgDqbSFWjB/BiqFiS.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.allianceline.bar
Source: global traffic	HTTP traffic detected: GET /jdraw/TAmAcu8EQ5dbq_2FLn/jmsAPZU0N/O3d42v1YOxC8LCsNcUdI/hBRtAVsuP0wmqk3iAnH/V7a2yIwEeWGhi2w2781UJd/XfMuL5OGMx46D/tX7UDvFf/Y_2BiaZRVpr3DW0jCRNM81D/ubtn4Y0mDo/Zf69CqE_2FlQ0hZy6/_2B_2BpRSoEQ/klrzoZkO8B_/2BwdYmhPaHQxFS/cUtgYxD_2/F.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive

Source: de-ch[1].htm.8.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.8.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.8.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: regsvr32.exe, 00000003.00000003.452315965.0000000000E9E000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000003.444402975.000000000358E000.00000004.00000001.sdmp	String found in binary or memory: http://allianceline.bar
Source: ~DF8CD487FC1219C4C3.TMP.5.dr, {2F1D94DD-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://allianceline.bar/jdraw/4trhqHpiyJW/gPL61gbH3V3gm2/GiN8WmuvnoRNfvQO06HHD/TolcFVz_2FK8ZYP2/IZQ7
Source: rundll32.exe, 00000017.00000003.434951888.0000000000726000.00000004.00000001.sdmp, ~DFD4A76AA401AA85CE.TMP.5.dr, {2F1D94DE-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://allianceline.bar/jdraw/_2FYs4QtMw9_2FVqLpLk2/u2LhzC7LFlqce_2B/EJ5CkL6CyTor06H/h9Yb_2BSjV6Rt1S
Source: {4205BD46-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://allianceline.bar/jdraw/cryAR_2BXe/tfZsZbCTIFSKEc_2F/fRFkFMDrwQ2J/nrfzPEYzAHe/Wx7an4ijbM8zE_/2
Source: {351E9074-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://allianceline.bar/jdraw/dLL7q72MwgF/_2BKoRFjbhgJAS/vzNzOQYcs22fS9PZmGiqk/ImBn4ZbMkjp0c79n/fXFE
Source: {27D0DC27-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://allianceline.bar/jdraw/eNEjgfypiWX/qzBN0pjHkXaIJy/uSQAHTqmu7LUbuntarKiK/xwqbRspQk1D8qp6M/HWl7
Source: regsvr32.exe, 00000003.00000002.474905552.0000000000EAD000.00000004.00000020.sdmp, rundll32.exe, 00000017.00000003.457906665.00000000006BE000.00000004.00000001.sdmp	String found in binary or memory: http://alliancer.bar
Source: rundll32.exe, 00000017.00000003.457906665.00000000006BE000.00000004.00000001.sdmp, ~DFBADD5811DDF61BF9.TMP.5.dr, {4205BD42-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliancer.bar/jdraw/6t2TJPVp8r4_2Fuvh2KKhY/8YV_2B_2BRJ82/6nGE2eYA/7HHAwpkhVWuf8lW4yXxIq9d/P3s
Source: rundll32.exe, 00000017.00000003.452927412.000000000072F000.00000004.00000001.sdmp	String found in binary or memory: http://alliancer.bar/jdraw/6t2TJPVp8r4_2Fuvh2KKhY/8YV_2B_2BRJ82/6nGE2eYA/7HHAwpkhVWufpkhVWuf8lW4yXxI
Source: {351E906A-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliancer.bar/jdraw/8hMkfU_2BkV2Ho4GURNxe/X8MBAAmtf27latmq/SxWCuMHAvCWenY2/OeooX6vNMX17Ym3H7Q
Source: regsvr32.exe, 00000003.00000003.452433761.0000000000E9E000.00000004.00000001.sdmp, ~DFE85B907226B27671.TMP.5.dr, {4205BD41-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliancer.bar/jdraw/T1Oye5dXOyO7X2/W2Jf88M5e37Kz6KOh7AdL/wY5JZWvpnXF42vVg/l7s4mKoV_2FqPNE/dhT
Source: rundll32.exe, 0000000C.00000003.340184563.0000000000682000.00000004.00000001.sdmp, rundll32.exe, 00000016.00000003.346218051.000000000311E000.00000004.00000001.sdmp, rundll32.exe, 0000002E.00000002.456285072.0000000002FAE000.00000004.00000020.sdmp	String found in binary or memory: http://alliances.bar
Source: rundll32.exe, 00000016.00000002.350369034.0000000003184000.00000004.00000001.sdmp	String found in binary or memory: http://alliances.bar/jdraw/
Source: rundll32.exe, 0000000C.00000003.329132970.0000000000682000.00000004.00000001.sdmp, ~DFFD1EDB472FE56296.TMP.5.dr, {1FE27CB5-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliances.bar/jdraw/AZ9j6FN_2FTyei6/Zf0uCNl_2FdnsseDLQ/aAlru6mfg/_2BxJ18hXN8l3o6HRZtg/iMkRHAW
Source: regsvr32.exe, 00000003.00000003.356821705.0000000000EAE000.00000004.00000001.sdmp, ~DF64E9FE35B66A2C9A.TMP.5.dr, {27D0DC2A-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliances.bar/jdraw/KzfCuU1nYQ/2jKJWMeBiltqUkBZk/bJHRs3aRSUlv/cI63tiCHI_2/F5uaZGCIn42HAA/37yN
Source: {27D0DC35-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliances.bar/jdraw/PjuRunwYj4Bhvxk9T/FkaG6F1W0LAq/7ctDH_2F3Sg/7ugfKJqoxNQwsg/2ypZ1ap9U9TAmPN
Source: {351E906E-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr, ~DFE0ACA2F9A459348A.TMP.5.dr	String found in binary or memory: http://alliances.bar/jdraw/Rb3_2FHxtxhMSM8zm/gYEt3B3r9PE_/2FfL3q236io/GFNEH8CEcSGt3Q/Xgu6vIh5KIqx2S1
Source: {2F1D94D8-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliances.bar/jdraw/_2Fgi_2F0q9mbLIMOTyI/MSZHR0hHa_2BmeQiSR3/W8oggZpI5myExagD6_2BTj/ey2UGr7Nb
Source: {351E906C-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr, ~DFB40722157E1D6737.TMP.5.dr	String found in binary or memory: http://alliances.bar/jdraw/_2FrlUhAClUiRyd8MwHtotk/I15TfspZAu/z01In076RAgynlo0F/aYBbR51uD1ML/uqQjbpx
Source: {351E9070-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr, ~DFB0096A8757170FB6.TMP.5.dr	String found in binary or memory: http://alliances.bar/jdraw/b812tUOw/5vOcsr2Qa7HjSQYaeUGfQDe/A8EgAMSWJM/_2FFmfetjQhRMnISV/eMe6aV6DLPB
Source: {19D46F2C-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliances.bar/jdraw/eWbkeEy29Mk9inNA7c/ATuO3Prha/DtolimWlXpnk8nFP0lSw/2yNlaC5cCiMklCCNwvu/sQN
Source: rundll32.exe, 00000017.00000003.357013762.0000000000726000.00000004.00000001.sdmp, ~DF159F2DDBDEF8FBC7.TMP.5.dr, {27D0DC2B-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliances.bar/jdraw/exPqHXDWoHjGDSQp9Aa/A_2B2jfV7Yu2z_2F81zrpc/4Hw3JjoG2C8FN/up0W_2Bg/2cOat_2
Source: {351E9072-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliances.bar/jdraw/i1UnGotMRZpYX5QI846/jmFIJI_2FNDz7pkL8TrBB5/fMotNSc0eJn6p/utqPXHuH/Wff27J_
Source: {1FE27CB9-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliances.bar/jdraw/p8BTc7rmN9rFz/dvVilNn8/1u0hUUFj3rLKVzUph9HCH9E/7PtciZB2lc/xpKpNIjlUqwM7Qo
Source: YfDl.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: YfDl.dll	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: YfDl.dll	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: YfDl.dll	String found in binary or memory: http://ocsp.digicert.com0O
Source: de-ch[1].htm.8.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.8.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[1].htm.8.dr	String found in binary or memory: http://popup.taboola.com/german
Source: {01B84D62-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: YfDl.dll	String found in binary or memory: http://www.digicert.com/CPS0
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.8.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562&epi=de-ch
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24952290
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: {01B84D62-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {01B84D62-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {01B84D62-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[1].htm.8.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1627822884&rver=7.0.6730.0&am
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1627822885&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1627822884&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: {01B84D62-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: imagestore.dat.8.dr, imagestore.dat.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMEUCC.img?h=27&w
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMKTvw.img?h=368&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {01B84D62-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/1-august-feiern-im-kanton-z%c3%bcrich-steigt-auf-d
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/geld-f%c3%bcr-mich-bedeutete-nicht-geld-f%c3%bcr-d
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/stopp-sie-fahren-mir-gleich-%c3%bcber-den-fuss-sch
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/das-z%c3%bcrich-openair-findet-nicht-statt/ar-AAMKnHU?ocid=hplo
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/lenker-31-verliert-auf-a3-kontrolle-%c3%bcber-sein-auto-und-ras
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/mann-wird-am-hb-von-zug-gestreift-und-schwer-verletzt/ar-AAMMAg
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/mann-wird-auf-autobahn-von-auto-erfasst-und-schwer-verletzt/ar-
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/rodriguez-soll-auf-abfindung-verzichten/ar-AAMMSQA?ocid=hplocal
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/wels-beisst-frau-das-war-gf%c3%bcrchig/ar-AAMKC2l?ocid=hplocaln
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrich-open-air-wird-abgesagt/ar-AAMKnsB?ocid=hplocalnews
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/sport/olympia?ocid=StripeOCID
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.3:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.3:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49752 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.428802489.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310250645.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368506549.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385717547.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367471901.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295795718.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309722106.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259140674.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.366983460.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280402346.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309589226.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.415488289.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295762368.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295981429.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295901229.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310144792.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259178122.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.310335999.0000000005678000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428515499.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428837675.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367322753.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259099397.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.310021531.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321707074.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259250940.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280442585.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.343816596.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.395162233.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280372433.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.384858855.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364869086.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428611848.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.353270821.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259222797.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336223581.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365062749.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336185061.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.459586064.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368421655.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.460775914.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321756107.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309505620.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295849373.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310212383.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.474906529.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365099890.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364977228.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321909022.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309660073.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280191384.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368551599.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368346307.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295923025.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321848683.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.476957957.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367645140.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280276584.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280138372.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.258952943.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364937205.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385510006.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368531499.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368451118.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309974225.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368293297.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336096103.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385353671.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428554224.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336204746.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.408307408.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321555066.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309817966.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280343715.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.477641592.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309868338.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385676022.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385602355.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428457894.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.446732830.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322064190.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309919627.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336004164.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367145578.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309399685.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368387169.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295955814.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322004343.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280095345.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367427983.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310086165.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428746719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259048645.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364804810.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365132346.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367564193.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259264233.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385558639.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309887913.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385639765.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365018193.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321610655.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336054371.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309772523.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428583719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.430581205.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336145332.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367387100.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295722944.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.335927438.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6104, type: MEMORYSTR

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.428802489.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310250645.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368506549.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385717547.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367471901.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295795718.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309722106.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259140674.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.366983460.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280402346.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309589226.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.415488289.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295762368.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295981429.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295901229.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310144792.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259178122.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.310335999.0000000005678000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428515499.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428837675.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367322753.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259099397.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.310021531.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321707074.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259250940.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280442585.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.343816596.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.395162233.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280372433.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.384858855.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364869086.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428611848.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.353270821.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259222797.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336223581.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365062749.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336185061.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.459586064.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368421655.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.460775914.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321756107.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309505620.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295849373.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310212383.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.474906529.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365099890.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364977228.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321909022.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309660073.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280191384.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368551599.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368346307.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295923025.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321848683.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.476957957.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367645140.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280276584.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280138372.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.258952943.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364937205.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385510006.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368531499.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368451118.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309974225.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368293297.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336096103.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385353671.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428554224.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336204746.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.408307408.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321555066.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309817966.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280343715.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.477641592.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309868338.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385676022.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385602355.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428457894.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.446732830.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322064190.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309919627.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336004164.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367145578.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309399685.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368387169.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295955814.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322004343.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280095345.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367427983.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310086165.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428746719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259048645.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364804810.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365132346.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367564193.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259264233.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385558639.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309887913.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385639765.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365018193.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321610655.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336054371.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309772523.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428583719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.430581205.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336145332.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367387100.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295722944.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.335927438.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6104, type: MEMORYSTR

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001996 GetProcAddress,NtCreateSection,memset,	0_2_10001996
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001A44 NtMapViewOfSection,	0_2_10001A44
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100023A5 NtQueryVirtualMemory,	0_2_100023A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C004AF NtAllocateVirtualMemory,	0_2_00C004AF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C00478 NtAllocateVirtualMemory,	0_2_00C00478
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D25A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_00D25A27
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D2B1A5 NtQueryVirtualMemory,	3_2_00D2B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_047D5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	4_2_047D5A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_047DB1A5 NtQueryVirtualMemory,	4_2_047DB1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD04AF NtAllocateVirtualMemory,	4_2_02CD04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD0478 NtAllocateVirtualMemory,	4_2_02CD0478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE0478 NtAllocateVirtualMemory,	6_2_02BE0478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE04AF NtAllocateVirtualMemory,	6_2_02BE04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00845A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	12_2_00845A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0084B1A5 NtQueryVirtualMemory,	12_2_0084B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04CF5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	13_2_04CF5A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04CFB1A5 NtQueryVirtualMemory,	13_2_04CFB1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD04AF NtAllocateVirtualMemory,	13_2_02DD04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD0478 NtAllocateVirtualMemory,	13_2_02DD0478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034C5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	14_2_034C5A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034CB1A5 NtQueryVirtualMemory,	14_2_034CB1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF04AF NtAllocateVirtualMemory,	14_2_02DF04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF0478 NtAllocateVirtualMemory,	14_2_02DF0478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04F85A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	18_2_04F85A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04F8B1A5 NtQueryVirtualMemory,	18_2_04F8B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_06BA5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	22_2_06BA5A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_06BAB1A5 NtQueryVirtualMemory,	22_2_06BAB1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_04665A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	23_2_04665A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0466B1A5 NtQueryVirtualMemory,	23_2_0466B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F20478 NtAllocateVirtualMemory,	25_2_02F20478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F204AF NtAllocateVirtualMemory,	25_2_02F204AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE0478 NtAllocateVirtualMemory,	31_2_02BE0478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE04AF NtAllocateVirtualMemory,	31_2_02BE04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_04445A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	36_2_04445A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_0444B1A5 NtQueryVirtualMemory,	36_2_0444B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_008304AF NtAllocateVirtualMemory,	36_2_008304AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_00830478 NtAllocateVirtualMemory,	36_2_00830478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04D75A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	37_2_04D75A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04D7B1A5 NtQueryVirtualMemory,	37_2_04D7B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04780478 NtAllocateVirtualMemory,	37_2_04780478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_047804AF NtAllocateVirtualMemory,	37_2_047804AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_04B65A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	41_2_04B65A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_04B6B1A5 NtQueryVirtualMemory,	41_2_04B6B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B04AF NtAllocateVirtualMemory,	41_2_029B04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B0478 NtAllocateVirtualMemory,	41_2_029B0478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_052CB1A5 NtQueryVirtualMemory,	42_2_052CB1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_052C5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	42_2_052C5A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_03240478 NtAllocateVirtualMemory,	42_2_03240478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_032404AF NtAllocateVirtualMemory,	42_2_032404AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_034904AF NtAllocateVirtualMemory,	44_2_034904AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_03490478 NtAllocateVirtualMemory,	44_2_03490478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02F55A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	46_2_02F55A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02F5B1A5 NtQueryVirtualMemory,	46_2_02F5B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D904AF NtAllocateVirtualMemory,	46_2_02D904AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D90478 NtAllocateVirtualMemory,	46_2_02D90478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 48_2_04925A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	48_2_04925A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 48_2_0492B1A5 NtQueryVirtualMemory,	48_2_0492B1A5

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002184	0_2_10002184
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C00A80	0_2_00C00A80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C00A7E	0_2_00C00A7E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D23EE1	3_2_00D23EE1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D2888E	3_2_00D2888E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D2AF80	3_2_00D2AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_047D3EE1	4_2_047D3EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_047D888E	4_2_047D888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_047DAF80	4_2_047DAF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD0A80	4_2_02CD0A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD0A7E	4_2_02CD0A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE0A7E	6_2_02BE0A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE0A80	6_2_02BE0A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0084888E	12_2_0084888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00843EE1	12_2_00843EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0084AF80	12_2_0084AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04CF3EE1	13_2_04CF3EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04CF888E	13_2_04CF888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04CFAF80	13_2_04CFAF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD0A80	13_2_02DD0A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD0A7E	13_2_02DD0A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034CAF80	14_2_034CAF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034C3EE1	14_2_034C3EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034C888E	14_2_034C888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF0A80	14_2_02DF0A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF0A7E	14_2_02DF0A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04F83EE1	18_2_04F83EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04F8888E	18_2_04F8888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04F8AF80	18_2_04F8AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_06BA888E	22_2_06BA888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_06BA3EE1	22_2_06BA3EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_06BAAF80	22_2_06BAAF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_04663EE1	23_2_04663EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0466888E	23_2_0466888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0466AF80	23_2_0466AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F20A7E	25_2_02F20A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F20A80	25_2_02F20A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE0A7E	31_2_02BE0A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE0A80	31_2_02BE0A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_04443EE1	36_2_04443EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_0444888E	36_2_0444888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_0444AF80	36_2_0444AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_00830A80	36_2_00830A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_00830A7E	36_2_00830A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04D73EE1	37_2_04D73EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04D7888E	37_2_04D7888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04D7AF80	37_2_04D7AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04780A7E	37_2_04780A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04780A80	37_2_04780A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_04B6888E	41_2_04B6888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_04B63EE1	41_2_04B63EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_04B6AF80	41_2_04B6AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B0A80	41_2_029B0A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B0A7E	41_2_029B0A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_052CAF80	42_2_052CAF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_052C888E	42_2_052C888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_052C3EE1	42_2_052C3EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_03240A7E	42_2_03240A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_03240A80	42_2_03240A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_03490A80	44_2_03490A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_03490A7E	44_2_03490A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02F53EE1	46_2_02F53EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02F5888E	46_2_02F5888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02F5AF80	46_2_02F5AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D90A80	46_2_02D90A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D90A7E	46_2_02D90A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 48_2_0492888E	48_2_0492888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 48_2_04923EE1	48_2_04923EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 48_2_0492AF80	48_2_0492AF80

PE file contains more sections than normal

Source: YfDl.dll

Static PE information: Number of sections : 27 > 10

PE file contains strange resources

Source: YfDl.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: YfDl.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.troj.evad.winDLL@87/254@35/9

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_00D2A65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_00D2A65C

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFE1686BD0F8BBB5D0.TMP

Jump to behavior

Source: YfDl.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\YfDl.dll',#1

Source: YfDl.dll	Virustotal: Detection: 68%
Source: YfDl.dll	Metadefender: Detection: 48%
Source: YfDl.dll	ReversingLabs: Detection: 67%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\YfDl.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\YfDl.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YfDl.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\YfDl.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Opisthotonos
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Hydrazo
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Overlock
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Automobilist
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Swampland
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17426 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Subarachnoid
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Bechained
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Unforeseenness
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:82960 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Incrimination
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:82964 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Oversystematic
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17442 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Shieldless
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Tsarevitch
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:82978 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17446 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Torchbearer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Moler
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17476 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Hyperpigmented
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17480 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Adipous
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17484 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Undazzled
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:83022 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Peckishness
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\YfDl.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YfDl.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Opisthotonos	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Hydrazo	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Overlock	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Automobilist	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Swampland	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Subarachnoid	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Bechained	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Unforeseenness	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Incrimination	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Oversystematic	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Shieldless	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Tsarevitch	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Torchbearer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Moler	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Hyperpigmented	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Adipous	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Undazzled	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Peckishness	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\YfDl.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17426 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:82960 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:82964 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17442 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:82978 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17446 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17476 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17480 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17484 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:83022 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001BAC LoadLibraryA,GetProcAddress,

0_2_10001BAC

PE file contains an invalid checksum

Source: YfDl.dll

Static PE information: real checksum: 0x44eb9 should be: 0x40da6

PE file contains sections with non-standard names

Source: YfDl.dll	Static PE information: section name: .unsooth
Source: YfDl.dll	Static PE information: section name: .prekind
Source: YfDl.dll	Static PE information: section name: .aqueoig
Source: YfDl.dll	Static PE information: section name: .spiritr
Source: YfDl.dll	Static PE information: section name: .nectaro
Source: YfDl.dll	Static PE information: section name: .philolo
Source: YfDl.dll	Static PE information: section name: .pres
Source: YfDl.dll	Static PE information: section name: .outglad
Source: YfDl.dll	Static PE information: section name: .pogonir
Source: YfDl.dll	Static PE information: section name: .taurico
Source: YfDl.dll	Static PE information: section name: .untar
Source: YfDl.dll	Static PE information: section name: .muskroo
Source: YfDl.dll	Static PE information: section name: .cricoto
Source: YfDl.dll	Static PE information: section name: .breaghe
Source: YfDl.dll	Static PE information: section name: .shunnab
Source: YfDl.dll	Static PE information: section name: .hemaut
Source: YfDl.dll	Static PE information: section name: .uncongr
Source: YfDl.dll	Static PE information: section name: .tonner
Source: YfDl.dll	Static PE information: section name: .jink
Source: YfDl.dll	Static PE information: section name: .stirles
Source: YfDl.dll	Static PE information: section name: .imper
Source: YfDl.dll	Static PE information: section name: .unsubve

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YfDl.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10000083 push eax; iretd	0_2_100000B2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002120 push ecx; ret	0_2_10002129
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002173 push ecx; ret	0_2_10002183
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C00304 push dword ptr [ebp-00000280h]; ret	0_2_00C00373
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C007C8 push dword ptr [esp+0Ch]; ret	0_2_00C007DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C007C8 push dword ptr [esp+10h]; ret	0_2_00C00822
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C002D2 push dword ptr [ebp-00000280h]; ret	0_2_00C00477
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C004AF push dword ptr [ebp-00000280h]; ret	0_2_00C0065D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C004AF push dword ptr [ebp-00000288h]; ret	0_2_00C006B1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C004AF push dword ptr [esp+10h]; ret	0_2_00C007C7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C00478 push dword ptr [ebp-00000280h]; ret	0_2_00C004AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D2E0C7 push cs; ret	3_2_00D2E0C8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D2E458 push ds; retf	3_2_00D2E47A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D2ABC0 push ecx; ret	3_2_00D2ABC9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D2E163 push edx; iretd	3_2_00D2E164
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D2AF6F push ecx; ret	3_2_00D2AF7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_047DAF6F push ecx; ret	4_2_047DAF7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_047DABC0 push ecx; ret	4_2_047DABC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD02D2 push dword ptr [ebp-00000280h]; ret	4_2_02CD0477
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD04AF push dword ptr [ebp-00000280h]; ret	4_2_02CD065D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD04AF push dword ptr [ebp-00000288h]; ret	4_2_02CD06B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD04AF push dword ptr [esp+10h]; ret	4_2_02CD07C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD0478 push dword ptr [ebp-00000280h]; ret	4_2_02CD04AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD07C8 push dword ptr [esp+0Ch]; ret	4_2_02CD07DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD07C8 push dword ptr [esp+10h]; ret	4_2_02CD0822
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD0304 push dword ptr [ebp-00000280h]; ret	4_2_02CD0373
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE0478 push dword ptr [ebp-00000280h]; ret	6_2_02BE04AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE04AF push dword ptr [ebp-00000280h]; ret	6_2_02BE065D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE04AF push dword ptr [ebp-00000288h]; ret	6_2_02BE06B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE04AF push dword ptr [esp+10h]; ret	6_2_02BE07C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE02D2 push dword ptr [ebp-00000280h]; ret	6_2_02BE0477

Boot Survival:

Creates an undocumented autostart registry key

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser ITBar7Height

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.428802489.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310250645.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368506549.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385717547.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367471901.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295795718.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309722106.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259140674.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.366983460.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280402346.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309589226.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.415488289.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295762368.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295981429.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295901229.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310144792.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259178122.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.310335999.0000000005678000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428515499.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428837675.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367322753.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259099397.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.310021531.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321707074.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259250940.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280442585.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.343816596.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.395162233.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280372433.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.384858855.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364869086.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428611848.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.353270821.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259222797.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336223581.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365062749.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336185061.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.459586064.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368421655.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.460775914.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321756107.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309505620.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295849373.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310212383.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.474906529.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365099890.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364977228.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321909022.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309660073.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280191384.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368551599.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368346307.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295923025.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321848683.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.476957957.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367645140.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280276584.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280138372.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.258952943.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364937205.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385510006.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368531499.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368451118.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309974225.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368293297.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336096103.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385353671.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428554224.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336204746.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.408307408.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321555066.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309817966.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280343715.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.477641592.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309868338.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385676022.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385602355.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428457894.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.446732830.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322064190.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309919627.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336004164.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367145578.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309399685.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368387169.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295955814.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322004343.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280095345.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367427983.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310086165.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428746719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259048645.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364804810.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365132346.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367564193.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259264233.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385558639.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309887913.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385639765.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365018193.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321610655.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336054371.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309772523.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428583719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.430581205.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336145332.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367387100.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295722944.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.335927438.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6104, type: MEMORYSTR

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Found stalling execution ending in API Sleep call

Source: C:\Windows\SysWOW64\rundll32.exe

Stalling execution: Execution stalls by calling Sleep

Found evasive API chain checking for process token information

Source: C:\Windows\SysWOW64\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 2.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5028	Thread sleep count: 65 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6804	Thread sleep time: -1667865539s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001BAC LoadLibraryA,GetProcAddress,

0_2_10001BAC

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C007C8 mov eax, dword ptr fs:[00000030h]	0_2_00C007C8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C006DF mov eax, dword ptr fs:[00000030h]	0_2_00C006DF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C00823 mov eax, dword ptr fs:[00000030h]	0_2_00C00823
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C004AF mov eax, dword ptr fs:[00000030h]	0_2_00C004AF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C008B4 mov eax, dword ptr fs:[00000030h]	0_2_00C008B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD06DF mov eax, dword ptr fs:[00000030h]	4_2_02CD06DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD04AF mov eax, dword ptr fs:[00000030h]	4_2_02CD04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD08B4 mov eax, dword ptr fs:[00000030h]	4_2_02CD08B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD0823 mov eax, dword ptr fs:[00000030h]	4_2_02CD0823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD07C8 mov eax, dword ptr fs:[00000030h]	4_2_02CD07C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE08B4 mov eax, dword ptr fs:[00000030h]	6_2_02BE08B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE04AF mov eax, dword ptr fs:[00000030h]	6_2_02BE04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE0823 mov eax, dword ptr fs:[00000030h]	6_2_02BE0823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE06DF mov eax, dword ptr fs:[00000030h]	6_2_02BE06DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE07C8 mov eax, dword ptr fs:[00000030h]	6_2_02BE07C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD06DF mov eax, dword ptr fs:[00000030h]	13_2_02DD06DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD08B4 mov eax, dword ptr fs:[00000030h]	13_2_02DD08B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD04AF mov eax, dword ptr fs:[00000030h]	13_2_02DD04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD0823 mov eax, dword ptr fs:[00000030h]	13_2_02DD0823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD07C8 mov eax, dword ptr fs:[00000030h]	13_2_02DD07C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF06DF mov eax, dword ptr fs:[00000030h]	14_2_02DF06DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF08B4 mov eax, dword ptr fs:[00000030h]	14_2_02DF08B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF04AF mov eax, dword ptr fs:[00000030h]	14_2_02DF04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF0823 mov eax, dword ptr fs:[00000030h]	14_2_02DF0823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF07C8 mov eax, dword ptr fs:[00000030h]	14_2_02DF07C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F208B4 mov eax, dword ptr fs:[00000030h]	25_2_02F208B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F20823 mov eax, dword ptr fs:[00000030h]	25_2_02F20823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F204AF mov eax, dword ptr fs:[00000030h]	25_2_02F204AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F206DF mov eax, dword ptr fs:[00000030h]	25_2_02F206DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F207C8 mov eax, dword ptr fs:[00000030h]	25_2_02F207C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE08B4 mov eax, dword ptr fs:[00000030h]	31_2_02BE08B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE04AF mov eax, dword ptr fs:[00000030h]	31_2_02BE04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE0823 mov eax, dword ptr fs:[00000030h]	31_2_02BE0823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE06DF mov eax, dword ptr fs:[00000030h]	31_2_02BE06DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE07C8 mov eax, dword ptr fs:[00000030h]	31_2_02BE07C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_008304AF mov eax, dword ptr fs:[00000030h]	36_2_008304AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_008308B4 mov eax, dword ptr fs:[00000030h]	36_2_008308B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_008306DF mov eax, dword ptr fs:[00000030h]	36_2_008306DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_00830823 mov eax, dword ptr fs:[00000030h]	36_2_00830823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_008307C8 mov eax, dword ptr fs:[00000030h]	36_2_008307C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04780823 mov eax, dword ptr fs:[00000030h]	37_2_04780823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_047806DF mov eax, dword ptr fs:[00000030h]	37_2_047806DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_047808B4 mov eax, dword ptr fs:[00000030h]	37_2_047808B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_047804AF mov eax, dword ptr fs:[00000030h]	37_2_047804AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_047807C8 mov eax, dword ptr fs:[00000030h]	37_2_047807C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B08B4 mov eax, dword ptr fs:[00000030h]	41_2_029B08B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B04AF mov eax, dword ptr fs:[00000030h]	41_2_029B04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B06DF mov eax, dword ptr fs:[00000030h]	41_2_029B06DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B0823 mov eax, dword ptr fs:[00000030h]	41_2_029B0823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B07C8 mov eax, dword ptr fs:[00000030h]	41_2_029B07C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_032407C8 mov eax, dword ptr fs:[00000030h]	42_2_032407C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_03240823 mov eax, dword ptr fs:[00000030h]	42_2_03240823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_032404AF mov eax, dword ptr fs:[00000030h]	42_2_032404AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_032408B4 mov eax, dword ptr fs:[00000030h]	42_2_032408B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_032406DF mov eax, dword ptr fs:[00000030h]	42_2_032406DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_034907C8 mov eax, dword ptr fs:[00000030h]	44_2_034907C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_034906DF mov eax, dword ptr fs:[00000030h]	44_2_034906DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_034904AF mov eax, dword ptr fs:[00000030h]	44_2_034904AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_03490823 mov eax, dword ptr fs:[00000030h]	44_2_03490823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_034908B4 mov eax, dword ptr fs:[00000030h]	44_2_034908B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D906DF mov eax, dword ptr fs:[00000030h]	46_2_02D906DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D908B4 mov eax, dword ptr fs:[00000030h]	46_2_02D908B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D904AF mov eax, dword ptr fs:[00000030h]	46_2_02D904AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D90823 mov eax, dword ptr fs:[00000030h]	46_2_02D90823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D907C8 mov eax, dword ptr fs:[00000030h]	46_2_02D907C8

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\YfDl.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.475289319.0000000001FA0000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.476551144.0000000003320000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.476286482.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.475289319.0000000001FA0000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.476551144.0000000003320000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.476286482.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.475289319.0000000001FA0000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.476551144.0000000003320000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.476286482.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.475289319.0000000001FA0000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.476551144.0000000003320000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.476286482.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_00D29135 cpuid

3_2_00D29135

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001456 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

0_2_10001456

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_00D29135 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

3_2_00D29135

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_10001F0E

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.428802489.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310250645.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368506549.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385717547.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367471901.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295795718.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309722106.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259140674.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.366983460.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280402346.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309589226.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.415488289.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295762368.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295981429.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295901229.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310144792.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259178122.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.310335999.0000000005678000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428515499.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428837675.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367322753.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259099397.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.310021531.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321707074.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259250940.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280442585.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.343816596.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.395162233.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280372433.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.384858855.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364869086.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428611848.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.353270821.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259222797.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336223581.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365062749.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336185061.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.459586064.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368421655.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.460775914.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321756107.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309505620.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295849373.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310212383.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.474906529.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365099890.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364977228.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321909022.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309660073.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280191384.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368551599.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368346307.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295923025.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321848683.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.476957957.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367645140.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280276584.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280138372.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.258952943.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364937205.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385510006.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368531499.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368451118.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309974225.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368293297.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336096103.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385353671.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428554224.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336204746.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.408307408.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321555066.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309817966.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280343715.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.477641592.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309868338.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385676022.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385602355.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428457894.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.446732830.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322064190.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309919627.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336004164.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367145578.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309399685.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368387169.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295955814.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322004343.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280095345.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367427983.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310086165.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428746719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259048645.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364804810.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365132346.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367564193.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259264233.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385558639.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309887913.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385639765.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365018193.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321610655.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336054371.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309772523.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428583719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.430581205.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336145332.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367387100.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295722944.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.335927438.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6104, type: MEMORYSTR

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.428802489.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310250645.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368506549.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385717547.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367471901.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295795718.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309722106.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259140674.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.366983460.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280402346.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309589226.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.415488289.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295762368.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295981429.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295901229.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310144792.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259178122.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.310335999.0000000005678000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428515499.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428837675.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367322753.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259099397.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.310021531.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321707074.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259250940.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280442585.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.343816596.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.395162233.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280372433.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.384858855.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364869086.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428611848.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.353270821.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259222797.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336223581.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365062749.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336185061.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.459586064.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368421655.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.460775914.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321756107.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309505620.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295849373.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310212383.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.474906529.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365099890.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364977228.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321909022.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309660073.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280191384.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368551599.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368346307.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295923025.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321848683.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.476957957.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367645140.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280276584.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280138372.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.258952943.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364937205.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385510006.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368531499.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368451118.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309974225.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368293297.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336096103.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385353671.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428554224.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336204746.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.408307408.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321555066.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309817966.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280343715.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.477641592.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309868338.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385676022.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385602355.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428457894.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.446732830.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322064190.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309919627.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336004164.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367145578.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309399685.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368387169.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295955814.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322004343.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280095345.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367427983.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310086165.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428746719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259048645.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364804810.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365132346.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367564193.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259264233.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385558639.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309887913.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385639765.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365018193.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321610655.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336054371.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309772523.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428583719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.430581205.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336145332.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367387100.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295722944.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.335927438.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6104, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.3.70	ad-delivery.net	United States	13335	CLOUDFLARENETUS	false
198.54.117.217	unknown	United States	22612	NAMECHEAP-NETUS	true
162.255.119.73	allianceline.bar	United States	22612	NAMECHEAP-NETUS	false
195.110.59.2	alliances.bar	Lithuania	47583	AS-HOSTINGERLT	false
216.58.215.230	dart.l.doubleclick.net	United States	15169	GOOGLEUS	false
151.101.1.44	tls13.taboola.map.fastly.net	United States	54113	FASTLYUS	false
104.26.7.139	btloader.com	United States	13335	CLOUDFLARENETUS	false
104.20.184.68	geolocation.onetrust.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
contextual.media.net	23.211.6.95	true
alliancer.bar	162.255.119.245	true
dart.l.doubleclick.net	216.58.215.230	true
tls13.taboola.map.fastly.net	151.101.1.44	true
hblg.media.net	23.211.6.95	true
allianceline.bar	162.255.119.73	true
parkingpage.namecheap.com	198.54.117.210	true
lg3.media.net	23.211.6.95	true
btloader.com	104.26.7.139	true
geolocation.onetrust.com	104.20.184.68	true
ad-delivery.net	104.26.3.70	true
alliances.bar	195.110.59.2	true
www.msn.com	unknown	unknown
ad.doubleclick.net	unknown	unknown
srtb.msn.com	unknown	unknown
img.img-taboola.com	unknown	unknown
www.allianceline.bar	unknown	unknown
web.vortex.data.msn.com	unknown	unknown
www.alliancer.bar	unknown	unknown
cvision.media.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://allianceline.bar/jdraw/dLL7q72MwgF/_2BKoRFjbhgJAS/vzNzOQYcs22fS9PZmGiqk/ImBn4ZbMkjp0c79n/fXFEqaYEWVKY_2F/_2FJyGoOXr4VTVC0eg/LUPZCf_2B/C1_2BlEDEf8ijbPT3XDP/4GbLjdNj_2Ft1xIX937/olnPKLY6LOBYxvJBmWK5iG/ofDL9uajZoReh/gnTfiCz_/2FJnM9VsOUm_2FxBFWygfHA/WN_2FWTfKr/cGyLVu_2BuD/D0vz.crw	true	Avira URL Cloud: safe	unknown
http://allianceline.bar/jdraw/cryAR_2BXe/tfZsZbCTIFSKEc_2F/fRFkFMDrwQ2J/nrfzPEYzAHe/Wx7an4ijbM8zE_/2FhpezUV4yO_2FfukN7U6/uBGYkZ4E31D33UZI/2HgOfw9U8TtlGcU/RO3AW2pv4UBCdojWiG/XAiw8U4II/LFIW7fzb6NeZ11ktdY_2/BmSX_2BpD6QEHKNSkw3/GsrABMXgDqbSFWjB/BiqFiS.crw	true	Avira URL Cloud: safe	unknown
http://alliances.bar/jdraw/_2Fgi_2F0q9mbLIMOTyI/MSZHR0hHa_2BmeQiSR3/W8oggZpI5myExagD6_2BTj/ey2UGr7NbceZG/WQBy5MHE/7qXKpRH7zu077im_2F1dGJV/DbKkDe7jsz/yWoZjzp1UojMkJrXW/XsiPUNe_2BZ8/DIfEiNMAFM1/A0a2dGIo685cVI/iUyIhZAYyWsoPEjMSHZWX/6iyEp102eL/_2F_2FrX.crw	true	Avira URL Cloud: safe	unknown
http://alliances.bar/jdraw/AZ9j6FN_2FTyei6/Zf0uCNl_2FdnsseDLQ/aAlru6mfg/_2BxJ18hXN8l3o6HRZtg/iMkRHAWOXQH7Sonii2y/ZUDDqy42horX1ipsJquAAp/PE_2BV88LYzPh/_2BwspqN/QHL0gRAjrGmh0Ze8EXmvwJx/w8RwH_2Fv_/2FEesIeaXL2YGMyBr/PGDsr7HWeSeF/e3J46D1VO9zlgcp/85Zp5.crw	true	Avira URL Cloud: safe	unknown
http://alliances.bar/jdraw/KzfCuU1nYQ/2jKJWMeBiltqUkBZk/bJHRs3aRSUlv/cI63tiCHI_2/F5uaZGCIn42HAA/37yNTKIJLuVjIBN3j61BH/f_2F7jKyVaT3WSHP/Idyt_2BFxwVV7Ez/wF0a5CSrL3svyQDzt7/z5kTlRVsI/o_2BijKkihsvPwp7ObK8/nGfEqkF_2BV9O_2BYHe/y7YIFWRDvDFDsnXQU1dk4w/ugyqJTKGN21dPtrvVHSLW/X.crw	true	Avira URL Cloud: safe	unknown
http://alliances.bar/jdraw/TAmAcu8EQ5dbq_2FLn/jmsAPZU0N/O3d42v1YOxC8LCsNcUdI/hBRtAVsuP0wmqk3iAnH/V7a2yIwEeWGhi2w2781UJd/XfMuL5OGMx46D/tX7UDvFf/Y_2BiaZRVpr3DW0jCRNM81D/ubtn4Y0mDo/Zf69CqE_2FlQ0hZy6/_2B_2BpRSoEQ/klrzoZkO8B_/2BwdYmhPaHQxFS/cUtgYxD_2/F.crw	true	Avira URL Cloud: safe	unknown
http://www.alliancer.bar/jdraw/T1Oye5dXOyO7X2/W2Jf88M5e37Kz6KOh7AdL/wY5JZWvpnXF42vVg/l7s4mKoV_2FqPNE/dhTHk84TOdHYwxXQ3F/ZDAxuudp3/D1Qs8omUsHmDB_2FVyG9/fdORbAiNcjwPXWrQQ0O/25Y_2BweBhA69miE0hz3Mk/RqfVs38U7EbR6/7NRpQCUV/WpJhqepI5X3UmOUCA7tjaJ_/2FPWDLDzx0/6EjYsFZMbGs/q1m.crw	true	Avira URL Cloud: safe	unknown
http://allianceline.bar/jdraw/4trhqHpiyJW/gPL61gbH3V3gm2/GiN8WmuvnoRNfvQO06HHD/TolcFVz_2FK8ZYP2/IZQ72utUu8FkRq_/2F067OV_2FLlPUB9yd/i0sqdLKlL/TufDKlZhewFrgjSOjZoV/kw8l6gL0iujBb8tryKS/RGvMacSQhLHBDOTrqNLG4m/uP_2BKAulmZfa/zQq7CHkj/_2F1r9d83Jng_2Fktvq5Alz/Ls6WH3GEdzGxn/iTBX.crw	true	Avira URL Cloud: safe	unknown
http://alliances.bar/jdraw/PjuRunwYj4Bhvxk9T/FkaG6F1W0LAq/7ctDH_2F3Sg/7ugfKJqoxNQwsg/2ypZ1ap9U9TAmPNK3Mj4E/1tkWj6xiOwNb06Ci/nMiIDTqZjqNR3Sl/Be2FTUJy9LUIgqGDgy/uKg22hRQ4/Py3DVyO8YWF3rk9X3HQr/yNaCoWiag_2BmQ7jPMJ/8l4YPxQA8wBHHEka2W3QS6/U7.crw	true	Avira URL Cloud: safe	unknown
http://allianceline.bar/jdraw/eNEjgfypiWX/qzBN0pjHkXaIJy/uSQAHTqmu7LUbuntarKiK/xwqbRspQk1D8qp6M/HWl7bj_2FWhMbP8/Uujd82PrM7mxT3Qzg0/MWYHS6cay/F6rvctGR9QcGUIn_2BcA/FoElIX9k6apV8hveoXo/zNk4xAZcRLb7MRvJXwEutR/loIAT32m6_2BY/8Nz5PjSgzU6nn7nO/fTwM.crw	true	Avira URL Cloud: safe	unknown

AV Detection:

Multi AV Scanner detection for submitted file

Source: YfDl.dll	Virustotal: Detection: 68%	Perma Link
Source: YfDl.dll	Metadefender: Detection: 48%	Perma Link
Source: YfDl.dll	ReversingLabs: Detection: 67%

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.regsvr32.exe.10000000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 4.2.rundll32.exe.10000000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.10000000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

Uses 32bit PE files

Source: YfDl.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.3:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.3:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49752 version: TLS 1.2

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49764 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49764 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49765 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49765 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49766 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49766 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49767 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49767 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49768 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49768 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49769 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49769 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49770 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49770 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49773 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49773 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49775 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49777 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49777 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49778 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49779 -> 162.255.119.73:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49782 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49793 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49793 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49795 -> 162.255.119.73:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49794 -> 162.255.119.73:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49794 -> 162.255.119.73:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49797 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49796 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49796 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49798 -> 162.255.119.245:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49801 -> 198.54.117.211:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49805 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49806 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49806 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49807 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49807 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49809 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49809 -> 195.110.59.2:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49810 -> 162.255.119.73:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49810 -> 162.255.119.73:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49813 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49813 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49812 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49812 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49814 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49814 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49815 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49815 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49816 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49816 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49817 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49817 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49820 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49820 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49822 -> 162.255.119.245:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49822 -> 162.255.119.245:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49825 -> 198.54.117.217:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49825 -> 198.54.117.217:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49827 -> 162.255.119.73:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49829 -> 198.54.117.217:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49831 -> 195.110.59.2:80

Source: global traffic	HTTP traffic detected: GET /jdraw/eWbkeEy29Mk9inNA7c/ATuO3Prha/DtolimWlXpnk8nFP0lSw/2yNlaC5cCiMklCCNwvu/sQNUZO_2Fm1xZzA1gS_2FG/9kTrosYW0_2Fm/VKROzRO8/gAsB4lDIAfyynMPz_2BNLur/ogiNTGjuy5/h8pifSL4zzmkbAEY1/43YSZu3Y6Aaj/v_2BXUswAoj/3H8D7Kh5Eubf1gg9Yf/HP.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/eWbkeEy29Mk9inNA7c/ATuO3Prha/DtolimWlXpnk8nFP0lSw/2yNlaC5cCiMklCCNwvu/sQNUZO_2Fm1xZzA1gS_2FG/9kTrosYW0_2Fm/VKROzRO8/gAsB4lDIAfyynMPz_2BNLur/ogiNTGjuy5/h8pifSL4zzmkbAEY1/43YSZu3Y6Aaj/v_2BXUswAoj/3H8D7Kh5Eubf1gg9Yf/HP.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/eWbkeEy29Mk9inNA7c/ATuO3Prha/DtolimWlXpnk8nFP0lSw/2yNlaC5cCiMklCCNwvu/sQNUZO_2Fm1xZzA1gS_2FG/9kTrosYW0_2Fm/VKROzRO8/gAsB4lDIAfyynMPz_2BNLur/ogiNTGjuy5/h8pifSL4zzmkbAEY1/43YSZu3Y6Aaj/v_2BXUswAoj/3H8D7Kh5Eubf1gg9Yf/HP.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/eWbkeEy29Mk9inNA7c/ATuO3Prha/DtolimWlXpnk8nFP0lSw/2yNlaC5cCiMklCCNwvu/sQNUZO_2Fm1xZzA1gS_2FG/9kTrosYW0_2Fm/VKROzRO8/gAsB4lDIAfyynMPz_2BNLur/ogiNTGjuy5/h8pifSL4zzmkbAEY1/43YSZu3Y6Aaj/v_2BXUswAoj/3H8D7Kh5Eubf1gg9Yf/HP.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/eWbkeEy29Mk9inNA7c/ATuO3Prha/DtolimWlXpnk8nFP0lSw/2yNlaC5cCiMklCCNwvu/sQNUZO_2Fm1xZzA1gS_2FG/9kTrosYW0_2Fm/VKROzRO8/gAsB4lDIAfyynMPz_2BNLur/ogiNTGjuy5/h8pifSL4zzmkbAEY1/43YSZu3Y6Aaj/v_2BXUswAoj/3H8D7Kh5Eubf1gg9Yf/HP.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/eWbkeEy29Mk9inNA7c/ATuO3Prha/DtolimWlXpnk8nFP0lSw/2yNlaC5cCiMklCCNwvu/sQNUZO_2Fm1xZzA1gS_2FG/9kTrosYW0_2Fm/VKROzRO8/gAsB4lDIAfyynMPz_2BNLur/ogiNTGjuy5/h8pifSL4zzmkbAEY1/43YSZu3Y6Aaj/v_2BXUswAoj/3H8D7Kh5Eubf1gg9Yf/HP.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/eWbkeEy29Mk9inNA7c/ATuO3Prha/DtolimWlXpnk8nFP0lSw/2yNlaC5cCiMklCCNwvu/sQNUZO_2Fm1xZzA1gS_2FG/9kTrosYW0_2Fm/VKROzRO8/gAsB4lDIAfyynMPz_2BNLur/ogiNTGjuy5/h8pifSL4zzmkbAEY1/43YSZu3Y6Aaj/v_2BXUswAoj/3H8D7Kh5Eubf1gg9Yf/HP.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/AZ9j6FN_2FTyei6/Zf0uCNl_2FdnsseDLQ/aAlru6mfg/_2BxJ18hXN8l3o6HRZtg/iMkRHAWOXQH7Sonii2y/ZUDDqy42horX1ipsJquAAp/PE_2BV88LYzPh/_2BwspqN/QHL0gRAjrGmh0Ze8EXmvwJx/w8RwH_2Fv_/2FEesIeaXL2YGMyBr/PGDsr7HWeSeF/e3J46D1VO9zlgcp/85Zp5.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/p8BTc7rmN9rFz/dvVilNn8/1u0hUUFj3rLKVzUph9HCH9E/7PtciZB2lc/xpKpNIjlUqwM7Qoac/vY0xEhkDTdYg/zhCk8i_2Bc_/2BlBoMsKptZ_2F/zRnhMePPGQCsqYLwQD3Ue/lgSW5rDODttJ7i78/1NWLOGS4u6LI4sn/Z_2F736jFES7IEU0n1/BASM_2F10/Djh4bcFW/rXwgDHJ.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/exPqHXDWoHjGDSQp9Aa/A_2B2jfV7Yu2z_2F81zrpc/4Hw3JjoG2C8FN/up0W_2Bg/2cOat_2FhB8XpeJI3Q4OrPd/3mcscxr_2F/XUcES9vbQCWR_2B2J/uVjKr_2FUQUP/ppEuzTVHGdh/cpJRHYjRekTIXI/zfM7YD6vGfq08eHNZhWho/thDyCd6IXfvgcRaJ/JjtQarSthDB/50HgVr4R/Z.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/KzfCuU1nYQ/2jKJWMeBiltqUkBZk/bJHRs3aRSUlv/cI63tiCHI_2/F5uaZGCIn42HAA/37yNTKIJLuVjIBN3j61BH/f_2F7jKyVaT3WSHP/Idyt_2BFxwVV7Ez/wF0a5CSrL3svyQDzt7/z5kTlRVsI/o_2BijKkihsvPwp7ObK8/nGfEqkF_2BV9O_2BYHe/y7YIFWRDvDFDsnXQU1dk4w/ugyqJTKGN21dPtrvVHSLW/X.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/eNEjgfypiWX/qzBN0pjHkXaIJy/uSQAHTqmu7LUbuntarKiK/xwqbRspQk1D8qp6M/HWl7bj_2FWhMbP8/Uujd82PrM7mxT3Qzg0/MWYHS6cay/F6rvctGR9QcGUIn_2BcA/FoElIX9k6apV8hveoXo/zNk4xAZcRLb7MRvJXwEutR/loIAT32m6_2BY/8Nz5PjSgzU6nn7nO/fTwM.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: allianceline.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/PjuRunwYj4Bhvxk9T/FkaG6F1W0LAq/7ctDH_2F3Sg/7ugfKJqoxNQwsg/2ypZ1ap9U9TAmPNK3Mj4E/1tkWj6xiOwNb06Ci/nMiIDTqZjqNR3Sl/Be2FTUJy9LUIgqGDgy/uKg22hRQ4/Py3DVyO8YWF3rk9X3HQr/yNaCoWiag_2BmQ7jPMJ/8l4YPxQA8wBHHEka2W3QS6/U7.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/_2Fgi_2F0q9mbLIMOTyI/MSZHR0hHa_2BmeQiSR3/W8oggZpI5myExagD6_2BTj/ey2UGr7NbceZG/WQBy5MHE/7qXKpRH7zu077im_2F1dGJV/DbKkDe7jsz/yWoZjzp1UojMkJrXW/XsiPUNe_2BZ8/DIfEiNMAFM1/A0a2dGIo685cVI/iUyIhZAYyWsoPEjMSHZWX/6iyEp102eL/_2F_2FrX.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/4trhqHpiyJW/gPL61gbH3V3gm2/GiN8WmuvnoRNfvQO06HHD/TolcFVz_2FK8ZYP2/IZQ72utUu8FkRq_/2F067OV_2FLlPUB9yd/i0sqdLKlL/TufDKlZhewFrgjSOjZoV/kw8l6gL0iujBb8tryKS/RGvMacSQhLHBDOTrqNLG4m/uP_2BKAulmZfa/zQq7CHkj/_2F1r9d83Jng_2Fktvq5Alz/Ls6WH3GEdzGxn/iTBX.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: allianceline.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/_2FYs4QtMw9_2FVqLpLk2/u2LhzC7LFlqce_2B/EJ5CkL6CyTor06H/h9Yb_2BSjV6Rt1SZIu/4F9iSiMa_/2FMSVlcf9Qu31roXh0J1/XT62QjG3DHbjtCzAO_2/B_2BsPQzjxGsde0UbMxPHp/SJcz88c_2Fs5k/867jz4YW/Gav8pspEQfvIQYY_2FHZoiA/PuUT_2Brpo/dSi_2Fsd7qdqVkqsa/uXH9U_2BtkCW/nt_2FeA79Sp7/ATp1A.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: allianceline.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/_2FrlUhAClUiRyd8MwHtotk/I15TfspZAu/z01In076RAgynlo0F/aYBbR51uD1ML/uqQjbpxmeKc/L1amjLGDxOxIiq/2XLubSbffIPK0HbrHa2Lp/bjwJ7voTFzEKCY0F/aF6dVKQS112UAXS/aj4vTb6dDSsIFCUQVZ/qIZSdMQKF/8UI5q4eMPwG_2F8fIXwq/rx107CtEv/H.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/Rb3_2FHxtxhMSM8zm/gYEt3B3r9PE_/2FfL3q236io/GFNEH8CEcSGt3Q/Xgu6vIh5KIqx2S1Mrc6dl/0kCNyz0GTV6jaECQ/HiARcYhZ2Mqz_2B/BvbQ_2BHUEEnwRiksm/RXQ1zWOs_/2FRb8_2BzO0AkhcyX4o0/Pn9DN_2FJYMQOU8vTzr/Vm4hzNy1B7dqRs9x0qSEE3/RgCr9ZktG/Z3C.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/i1UnGotMRZpYX5QI846/jmFIJI_2FNDz7pkL8TrBB5/fMotNSc0eJn6p/utqPXHuH/Wff27J_2FTjxId_2BES1z1r/M_2BkcXpyD/K_2FeY_2Bil3S_2FY/RBcu0ZtIeP_2/BPxc89E_2Bx/cUqugMTx_2BnBm/1nG_2BlJjtyEolJ_2BuVW/_2BuzYeRQBwowEX3/QOcwkE8Q_2Bp3En/Z4CKv0N41kvf6/f6QDpp.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/i1UnGotMRZpYX5QI846/jmFIJI_2FNDz7pkL8TrBB5/fMotNSc0eJn6p/utqPXHuH/Wff27J_2FTjxId_2BES1z1r/M_2BkcXpyD/K_2FeY_2Bil3S_2FY/RBcu0ZtIeP_2/BPxc89E_2Bx/cUqugMTx_2BnBm/1nG_2BlJjtyEolJ_2BuVW/_2BuzYeRQBwowEX3/QOcwkE8Q_2Bp3En/Z4CKv0N41kvf6/f6QDpp.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/b812tUOw/5vOcsr2Qa7HjSQYaeUGfQDe/A8EgAMSWJM/_2FFmfetjQhRMnISV/eMe6aV6DLPBS/5MYu1aKdFNE/STasrOKiCBmv9X/eiZjDwcFHXNTS7hX6rpF6/PjKZwXlQvviQeyWd/_2BR0w7G5Pjv7Hi/LDxSArAenBlCjPFdb5/ZsL4oU8fF/CiH6rXpAguptoVX1zeJh/bT.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/i1UnGotMRZpYX5QI846/jmFIJI_2FNDz7pkL8TrBB5/fMotNSc0eJn6p/utqPXHuH/Wff27J_2FTjxId_2BES1z1r/M_2BkcXpyD/K_2FeY_2Bil3S_2FY/RBcu0ZtIeP_2/BPxc89E_2Bx/cUqugMTx_2BnBm/1nG_2BlJjtyEolJ_2BuVW/_2BuzYeRQBwowEX3/QOcwkE8Q_2Bp3En/Z4CKv0N41kvf6/f6QDpp.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/dLL7q72MwgF/_2BKoRFjbhgJAS/vzNzOQYcs22fS9PZmGiqk/ImBn4ZbMkjp0c79n/fXFEqaYEWVKY_2F/_2FJyGoOXr4VTVC0eg/LUPZCf_2B/C1_2BlEDEf8ijbPT3XDP/4GbLjdNj_2Ft1xIX937/olnPKLY6LOBYxvJBmWK5iG/ofDL9uajZoReh/gnTfiCz_/2FJnM9VsOUm_2FxBFWygfHA/WN_2FWTfKr/cGyLVu_2BuD/D0vz.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: allianceline.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/T1Oye5dXOyO7X2/W2Jf88M5e37Kz6KOh7AdL/wY5JZWvpnXF42vVg/l7s4mKoV_2FqPNE/dhTHk84TOdHYwxXQ3F/ZDAxuudp3/D1Qs8omUsHmDB_2FVyG9/fdORbAiNcjwPXWrQQ0O/25Y_2BweBhA69miE0hz3Mk/RqfVs38U7EbR6/7NRpQCUV/WpJhqepI5X3UmOUCA7tjaJ_/2FPWDLDzx0/6EjYsFZMbGs/q1m.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.alliancer.bar
Source: global traffic	HTTP traffic detected: GET /jdraw/6t2TJPVp8r4_2Fuvh2KKhY/8YV_2B_2BRJ82/6nGE2eYA/7HHAwpkhVWuf8lW4yXxIq9d/P3s_2FZHKD/oMUCAMgfPleHjs4l4/0BIh2qxT_2F_/2BqGTGuBqqr/qMuHIfbg722ygV/LdYTIqTAwZMOjKPe_2BwH/och7PytHC76QFgMR/zdGw0_2FoGJ7HxL/0oDAmIcPbJn2gUolv1/8hw0Ffgg.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.alliancer.bar
Source: global traffic	HTTP traffic detected: GET /jdraw/cryAR_2BXe/tfZsZbCTIFSKEc_2F/fRFkFMDrwQ2J/nrfzPEYzAHe/Wx7an4ijbM8zE_/2FhpezUV4yO_2FfukN7U6/uBGYkZ4E31D33UZI/2HgOfw9U8TtlGcU/RO3AW2pv4UBCdojWiG/XAiw8U4II/LFIW7fzb6NeZ11ktdY_2/BmSX_2BpD6QEHKNSkw3/GsrABMXgDqbSFWjB/BiqFiS.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: allianceline.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/cryAR_2BXe/tfZsZbCTIFSKEc_2F/fRFkFMDrwQ2J/nrfzPEYzAHe/Wx7an4ijbM8zE_/2FhpezUV4yO_2FfukN7U6/uBGYkZ4E31D33UZI/2HgOfw9U8TtlGcU/RO3AW2pv4UBCdojWiG/XAiw8U4II/LFIW7fzb6NeZ11ktdY_2/BmSX_2BpD6QEHKNSkw3/GsrABMXgDqbSFWjB/BiqFiS.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.allianceline.bar
Source: global traffic	HTTP traffic detected: GET /jdraw/TAmAcu8EQ5dbq_2FLn/jmsAPZU0N/O3d42v1YOxC8LCsNcUdI/hBRtAVsuP0wmqk3iAnH/V7a2yIwEeWGhi2w2781UJd/XfMuL5OGMx46D/tX7UDvFf/Y_2BiaZRVpr3DW0jCRNM81D/ubtn4Y0mDo/Zf69CqE_2FlQ0hZy6/_2B_2BpRSoEQ/klrzoZkO8B_/2BwdYmhPaHQxFS/cUtgYxD_2/F.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: alliances.barConnection: Keep-Alive

Source: de-ch[1].htm.8.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.8.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.8.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: regsvr32.exe, 00000003.00000003.452315965.0000000000E9E000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000003.444402975.000000000358E000.00000004.00000001.sdmp	String found in binary or memory: http://allianceline.bar
Source: ~DF8CD487FC1219C4C3.TMP.5.dr, {2F1D94DD-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://allianceline.bar/jdraw/4trhqHpiyJW/gPL61gbH3V3gm2/GiN8WmuvnoRNfvQO06HHD/TolcFVz_2FK8ZYP2/IZQ7
Source: rundll32.exe, 00000017.00000003.434951888.0000000000726000.00000004.00000001.sdmp, ~DFD4A76AA401AA85CE.TMP.5.dr, {2F1D94DE-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://allianceline.bar/jdraw/_2FYs4QtMw9_2FVqLpLk2/u2LhzC7LFlqce_2B/EJ5CkL6CyTor06H/h9Yb_2BSjV6Rt1S
Source: {4205BD46-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://allianceline.bar/jdraw/cryAR_2BXe/tfZsZbCTIFSKEc_2F/fRFkFMDrwQ2J/nrfzPEYzAHe/Wx7an4ijbM8zE_/2
Source: {351E9074-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://allianceline.bar/jdraw/dLL7q72MwgF/_2BKoRFjbhgJAS/vzNzOQYcs22fS9PZmGiqk/ImBn4ZbMkjp0c79n/fXFE
Source: {27D0DC27-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://allianceline.bar/jdraw/eNEjgfypiWX/qzBN0pjHkXaIJy/uSQAHTqmu7LUbuntarKiK/xwqbRspQk1D8qp6M/HWl7
Source: regsvr32.exe, 00000003.00000002.474905552.0000000000EAD000.00000004.00000020.sdmp, rundll32.exe, 00000017.00000003.457906665.00000000006BE000.00000004.00000001.sdmp	String found in binary or memory: http://alliancer.bar
Source: rundll32.exe, 00000017.00000003.457906665.00000000006BE000.00000004.00000001.sdmp, ~DFBADD5811DDF61BF9.TMP.5.dr, {4205BD42-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliancer.bar/jdraw/6t2TJPVp8r4_2Fuvh2KKhY/8YV_2B_2BRJ82/6nGE2eYA/7HHAwpkhVWuf8lW4yXxIq9d/P3s
Source: rundll32.exe, 00000017.00000003.452927412.000000000072F000.00000004.00000001.sdmp	String found in binary or memory: http://alliancer.bar/jdraw/6t2TJPVp8r4_2Fuvh2KKhY/8YV_2B_2BRJ82/6nGE2eYA/7HHAwpkhVWufpkhVWuf8lW4yXxI
Source: {351E906A-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliancer.bar/jdraw/8hMkfU_2BkV2Ho4GURNxe/X8MBAAmtf27latmq/SxWCuMHAvCWenY2/OeooX6vNMX17Ym3H7Q
Source: regsvr32.exe, 00000003.00000003.452433761.0000000000E9E000.00000004.00000001.sdmp, ~DFE85B907226B27671.TMP.5.dr, {4205BD41-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliancer.bar/jdraw/T1Oye5dXOyO7X2/W2Jf88M5e37Kz6KOh7AdL/wY5JZWvpnXF42vVg/l7s4mKoV_2FqPNE/dhT
Source: rundll32.exe, 0000000C.00000003.340184563.0000000000682000.00000004.00000001.sdmp, rundll32.exe, 00000016.00000003.346218051.000000000311E000.00000004.00000001.sdmp, rundll32.exe, 0000002E.00000002.456285072.0000000002FAE000.00000004.00000020.sdmp	String found in binary or memory: http://alliances.bar
Source: rundll32.exe, 00000016.00000002.350369034.0000000003184000.00000004.00000001.sdmp	String found in binary or memory: http://alliances.bar/jdraw/
Source: rundll32.exe, 0000000C.00000003.329132970.0000000000682000.00000004.00000001.sdmp, ~DFFD1EDB472FE56296.TMP.5.dr, {1FE27CB5-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliances.bar/jdraw/AZ9j6FN_2FTyei6/Zf0uCNl_2FdnsseDLQ/aAlru6mfg/_2BxJ18hXN8l3o6HRZtg/iMkRHAW
Source: regsvr32.exe, 00000003.00000003.356821705.0000000000EAE000.00000004.00000001.sdmp, ~DF64E9FE35B66A2C9A.TMP.5.dr, {27D0DC2A-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliances.bar/jdraw/KzfCuU1nYQ/2jKJWMeBiltqUkBZk/bJHRs3aRSUlv/cI63tiCHI_2/F5uaZGCIn42HAA/37yN
Source: {27D0DC35-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliances.bar/jdraw/PjuRunwYj4Bhvxk9T/FkaG6F1W0LAq/7ctDH_2F3Sg/7ugfKJqoxNQwsg/2ypZ1ap9U9TAmPN
Source: {351E906E-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr, ~DFE0ACA2F9A459348A.TMP.5.dr	String found in binary or memory: http://alliances.bar/jdraw/Rb3_2FHxtxhMSM8zm/gYEt3B3r9PE_/2FfL3q236io/GFNEH8CEcSGt3Q/Xgu6vIh5KIqx2S1
Source: {2F1D94D8-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliances.bar/jdraw/_2Fgi_2F0q9mbLIMOTyI/MSZHR0hHa_2BmeQiSR3/W8oggZpI5myExagD6_2BTj/ey2UGr7Nb
Source: {351E906C-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr, ~DFB40722157E1D6737.TMP.5.dr	String found in binary or memory: http://alliances.bar/jdraw/_2FrlUhAClUiRyd8MwHtotk/I15TfspZAu/z01In076RAgynlo0F/aYBbR51uD1ML/uqQjbpx
Source: {351E9070-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr, ~DFB0096A8757170FB6.TMP.5.dr	String found in binary or memory: http://alliances.bar/jdraw/b812tUOw/5vOcsr2Qa7HjSQYaeUGfQDe/A8EgAMSWJM/_2FFmfetjQhRMnISV/eMe6aV6DLPB
Source: {19D46F2C-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliances.bar/jdraw/eWbkeEy29Mk9inNA7c/ATuO3Prha/DtolimWlXpnk8nFP0lSw/2yNlaC5cCiMklCCNwvu/sQN
Source: rundll32.exe, 00000017.00000003.357013762.0000000000726000.00000004.00000001.sdmp, ~DF159F2DDBDEF8FBC7.TMP.5.dr, {27D0DC2B-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliances.bar/jdraw/exPqHXDWoHjGDSQp9Aa/A_2B2jfV7Yu2z_2F81zrpc/4Hw3JjoG2C8FN/up0W_2Bg/2cOat_2
Source: {351E9072-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliances.bar/jdraw/i1UnGotMRZpYX5QI846/jmFIJI_2FNDz7pkL8TrBB5/fMotNSc0eJn6p/utqPXHuH/Wff27J_
Source: {1FE27CB9-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://alliances.bar/jdraw/p8BTc7rmN9rFz/dvVilNn8/1u0hUUFj3rLKVzUph9HCH9E/7PtciZB2lc/xpKpNIjlUqwM7Qo
Source: YfDl.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: YfDl.dll	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: YfDl.dll	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: YfDl.dll	String found in binary or memory: http://ocsp.digicert.com0O
Source: de-ch[1].htm.8.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.8.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[1].htm.8.dr	String found in binary or memory: http://popup.taboola.com/german
Source: {01B84D62-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: YfDl.dll	String found in binary or memory: http://www.digicert.com/CPS0
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.8.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562&epi=de-ch
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24952290
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: {01B84D62-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {01B84D62-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {01B84D62-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[1].htm.8.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1627822884&rver=7.0.6730.0&am
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1627822885&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1627822884&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: {01B84D62-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: imagestore.dat.8.dr, imagestore.dat.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMEUCC.img?h=27&w
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMKTvw.img?h=368&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {01B84D62-F314-11EB-90E4-ECF4BB862DED}.dat.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/1-august-feiern-im-kanton-z%c3%bcrich-steigt-auf-d
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/geld-f%c3%bcr-mich-bedeutete-nicht-geld-f%c3%bcr-d
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/stopp-sie-fahren-mir-gleich-%c3%bcber-den-fuss-sch
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/das-z%c3%bcrich-openair-findet-nicht-statt/ar-AAMKnHU?ocid=hplo
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/lenker-31-verliert-auf-a3-kontrolle-%c3%bcber-sein-auto-und-ras
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/mann-wird-am-hb-von-zug-gestreift-und-schwer-verletzt/ar-AAMMAg
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/mann-wird-auf-autobahn-von-auto-erfasst-und-schwer-verletzt/ar-
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/rodriguez-soll-auf-abfindung-verzichten/ar-AAMMSQA?ocid=hplocal
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/wels-beisst-frau-das-war-gf%c3%bcrchig/ar-AAMKC2l?ocid=hplocaln
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrich-open-air-wird-abgesagt/ar-AAMKnsB?ocid=hplocalnews
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com/de-ch/sport/olympia?ocid=StripeOCID
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.8.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.8.dr	String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.8.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.3:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.3:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49752 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.428802489.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310250645.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368506549.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385717547.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367471901.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295795718.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309722106.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259140674.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.366983460.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280402346.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309589226.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.415488289.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295762368.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295981429.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295901229.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310144792.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259178122.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.310335999.0000000005678000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428515499.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428837675.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367322753.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259099397.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.310021531.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321707074.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259250940.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280442585.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.343816596.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.395162233.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280372433.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.384858855.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364869086.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428611848.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.353270821.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259222797.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336223581.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365062749.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336185061.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.459586064.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368421655.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.460775914.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321756107.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309505620.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295849373.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310212383.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.474906529.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365099890.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364977228.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321909022.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309660073.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280191384.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368551599.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368346307.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295923025.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321848683.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.476957957.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367645140.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280276584.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280138372.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.258952943.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364937205.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385510006.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368531499.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368451118.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309974225.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368293297.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336096103.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385353671.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428554224.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336204746.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.408307408.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321555066.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309817966.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280343715.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.477641592.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309868338.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385676022.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385602355.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428457894.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.446732830.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322064190.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309919627.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336004164.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367145578.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309399685.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368387169.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295955814.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322004343.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280095345.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367427983.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310086165.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428746719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259048645.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364804810.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365132346.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367564193.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259264233.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385558639.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309887913.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385639765.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365018193.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321610655.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336054371.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309772523.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428583719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.430581205.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336145332.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367387100.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295722944.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.335927438.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6104, type: MEMORYSTR

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.428802489.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310250645.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368506549.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385717547.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367471901.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295795718.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309722106.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259140674.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.366983460.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280402346.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309589226.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.415488289.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295762368.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295981429.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295901229.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310144792.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259178122.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.310335999.0000000005678000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428515499.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428837675.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367322753.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259099397.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.310021531.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321707074.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259250940.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280442585.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.343816596.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.395162233.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280372433.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.384858855.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364869086.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428611848.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.353270821.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259222797.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336223581.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365062749.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336185061.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.459586064.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368421655.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.460775914.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321756107.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309505620.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295849373.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310212383.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.474906529.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365099890.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364977228.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321909022.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309660073.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280191384.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368551599.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368346307.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295923025.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321848683.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.476957957.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367645140.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280276584.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280138372.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.258952943.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364937205.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385510006.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368531499.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368451118.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309974225.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368293297.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336096103.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385353671.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428554224.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336204746.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.408307408.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321555066.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309817966.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280343715.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.477641592.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309868338.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385676022.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385602355.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428457894.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.446732830.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322064190.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309919627.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336004164.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367145578.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309399685.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368387169.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295955814.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322004343.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280095345.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367427983.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310086165.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428746719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259048645.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364804810.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365132346.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367564193.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259264233.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385558639.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309887913.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385639765.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365018193.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321610655.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336054371.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309772523.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428583719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.430581205.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336145332.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367387100.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295722944.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.335927438.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6104, type: MEMORYSTR

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001996 GetProcAddress,NtCreateSection,memset,	0_2_10001996
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001A44 NtMapViewOfSection,	0_2_10001A44
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100023A5 NtQueryVirtualMemory,	0_2_100023A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C004AF NtAllocateVirtualMemory,	0_2_00C004AF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C00478 NtAllocateVirtualMemory,	0_2_00C00478
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D25A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_00D25A27
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D2B1A5 NtQueryVirtualMemory,	3_2_00D2B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_047D5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	4_2_047D5A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_047DB1A5 NtQueryVirtualMemory,	4_2_047DB1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD04AF NtAllocateVirtualMemory,	4_2_02CD04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD0478 NtAllocateVirtualMemory,	4_2_02CD0478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE0478 NtAllocateVirtualMemory,	6_2_02BE0478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE04AF NtAllocateVirtualMemory,	6_2_02BE04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00845A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	12_2_00845A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0084B1A5 NtQueryVirtualMemory,	12_2_0084B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04CF5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	13_2_04CF5A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04CFB1A5 NtQueryVirtualMemory,	13_2_04CFB1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD04AF NtAllocateVirtualMemory,	13_2_02DD04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD0478 NtAllocateVirtualMemory,	13_2_02DD0478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034C5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	14_2_034C5A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034CB1A5 NtQueryVirtualMemory,	14_2_034CB1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF04AF NtAllocateVirtualMemory,	14_2_02DF04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF0478 NtAllocateVirtualMemory,	14_2_02DF0478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04F85A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	18_2_04F85A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04F8B1A5 NtQueryVirtualMemory,	18_2_04F8B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_06BA5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	22_2_06BA5A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_06BAB1A5 NtQueryVirtualMemory,	22_2_06BAB1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_04665A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	23_2_04665A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0466B1A5 NtQueryVirtualMemory,	23_2_0466B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F20478 NtAllocateVirtualMemory,	25_2_02F20478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F204AF NtAllocateVirtualMemory,	25_2_02F204AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE0478 NtAllocateVirtualMemory,	31_2_02BE0478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE04AF NtAllocateVirtualMemory,	31_2_02BE04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_04445A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	36_2_04445A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_0444B1A5 NtQueryVirtualMemory,	36_2_0444B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_008304AF NtAllocateVirtualMemory,	36_2_008304AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_00830478 NtAllocateVirtualMemory,	36_2_00830478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04D75A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	37_2_04D75A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04D7B1A5 NtQueryVirtualMemory,	37_2_04D7B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04780478 NtAllocateVirtualMemory,	37_2_04780478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_047804AF NtAllocateVirtualMemory,	37_2_047804AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_04B65A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	41_2_04B65A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_04B6B1A5 NtQueryVirtualMemory,	41_2_04B6B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B04AF NtAllocateVirtualMemory,	41_2_029B04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B0478 NtAllocateVirtualMemory,	41_2_029B0478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_052CB1A5 NtQueryVirtualMemory,	42_2_052CB1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_052C5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	42_2_052C5A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_03240478 NtAllocateVirtualMemory,	42_2_03240478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_032404AF NtAllocateVirtualMemory,	42_2_032404AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_034904AF NtAllocateVirtualMemory,	44_2_034904AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_03490478 NtAllocateVirtualMemory,	44_2_03490478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02F55A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	46_2_02F55A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02F5B1A5 NtQueryVirtualMemory,	46_2_02F5B1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D904AF NtAllocateVirtualMemory,	46_2_02D904AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D90478 NtAllocateVirtualMemory,	46_2_02D90478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 48_2_04925A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	48_2_04925A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 48_2_0492B1A5 NtQueryVirtualMemory,	48_2_0492B1A5

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002184	0_2_10002184
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C00A80	0_2_00C00A80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C00A7E	0_2_00C00A7E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D23EE1	3_2_00D23EE1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D2888E	3_2_00D2888E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D2AF80	3_2_00D2AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_047D3EE1	4_2_047D3EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_047D888E	4_2_047D888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_047DAF80	4_2_047DAF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD0A80	4_2_02CD0A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD0A7E	4_2_02CD0A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE0A7E	6_2_02BE0A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE0A80	6_2_02BE0A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0084888E	12_2_0084888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00843EE1	12_2_00843EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0084AF80	12_2_0084AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04CF3EE1	13_2_04CF3EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04CF888E	13_2_04CF888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04CFAF80	13_2_04CFAF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD0A80	13_2_02DD0A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD0A7E	13_2_02DD0A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034CAF80	14_2_034CAF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034C3EE1	14_2_034C3EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034C888E	14_2_034C888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF0A80	14_2_02DF0A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF0A7E	14_2_02DF0A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04F83EE1	18_2_04F83EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04F8888E	18_2_04F8888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04F8AF80	18_2_04F8AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_06BA888E	22_2_06BA888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_06BA3EE1	22_2_06BA3EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_06BAAF80	22_2_06BAAF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_04663EE1	23_2_04663EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0466888E	23_2_0466888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0466AF80	23_2_0466AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F20A7E	25_2_02F20A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F20A80	25_2_02F20A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE0A7E	31_2_02BE0A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE0A80	31_2_02BE0A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_04443EE1	36_2_04443EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_0444888E	36_2_0444888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_0444AF80	36_2_0444AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_00830A80	36_2_00830A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_00830A7E	36_2_00830A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04D73EE1	37_2_04D73EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04D7888E	37_2_04D7888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04D7AF80	37_2_04D7AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04780A7E	37_2_04780A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04780A80	37_2_04780A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_04B6888E	41_2_04B6888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_04B63EE1	41_2_04B63EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_04B6AF80	41_2_04B6AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B0A80	41_2_029B0A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B0A7E	41_2_029B0A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_052CAF80	42_2_052CAF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_052C888E	42_2_052C888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_052C3EE1	42_2_052C3EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_03240A7E	42_2_03240A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_03240A80	42_2_03240A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_03490A80	44_2_03490A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_03490A7E	44_2_03490A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02F53EE1	46_2_02F53EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02F5888E	46_2_02F5888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02F5AF80	46_2_02F5AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D90A80	46_2_02D90A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D90A7E	46_2_02D90A7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 48_2_0492888E	48_2_0492888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 48_2_04923EE1	48_2_04923EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 48_2_0492AF80	48_2_0492AF80

PE file contains more sections than normal

Source: YfDl.dll

Static PE information: Number of sections : 27 > 10

PE file contains strange resources

Source: YfDl.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: YfDl.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.troj.evad.winDLL@87/254@35/9

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_00D2A65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_00D2A65C

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFE1686BD0F8BBB5D0.TMP

Jump to behavior

Source: YfDl.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\YfDl.dll',#1

Source: YfDl.dll	Virustotal: Detection: 68%
Source: YfDl.dll	Metadefender: Detection: 48%
Source: YfDl.dll	ReversingLabs: Detection: 67%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\YfDl.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\YfDl.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YfDl.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\YfDl.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Opisthotonos
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Hydrazo
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Overlock
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Automobilist
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Swampland
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17426 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Subarachnoid
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Bechained
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Unforeseenness
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:82960 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Incrimination
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:82964 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Oversystematic
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17442 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Shieldless
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Tsarevitch
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:82978 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17446 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Torchbearer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Moler
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17476 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Hyperpigmented
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17480 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Adipous
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17484 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Undazzled
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:83022 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Peckishness
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\YfDl.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YfDl.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Opisthotonos	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Hydrazo	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Overlock	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Automobilist	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Swampland	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Subarachnoid	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Bechained	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Unforeseenness	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Incrimination	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Oversystematic	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Shieldless	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Tsarevitch	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Torchbearer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Moler	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Hyperpigmented	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Adipous	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Undazzled	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YfDl.dll,Peckishness	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\YfDl.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17426 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:82960 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:82964 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17442 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:82978 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17446 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17476 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17480 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17484 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:83022 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001BAC LoadLibraryA,GetProcAddress,

0_2_10001BAC

PE file contains an invalid checksum

Source: YfDl.dll

Static PE information: real checksum: 0x44eb9 should be: 0x40da6

PE file contains sections with non-standard names

Source: YfDl.dll	Static PE information: section name: .unsooth
Source: YfDl.dll	Static PE information: section name: .prekind
Source: YfDl.dll	Static PE information: section name: .aqueoig
Source: YfDl.dll	Static PE information: section name: .spiritr
Source: YfDl.dll	Static PE information: section name: .nectaro
Source: YfDl.dll	Static PE information: section name: .philolo
Source: YfDl.dll	Static PE information: section name: .pres
Source: YfDl.dll	Static PE information: section name: .outglad
Source: YfDl.dll	Static PE information: section name: .pogonir
Source: YfDl.dll	Static PE information: section name: .taurico
Source: YfDl.dll	Static PE information: section name: .untar
Source: YfDl.dll	Static PE information: section name: .muskroo
Source: YfDl.dll	Static PE information: section name: .cricoto
Source: YfDl.dll	Static PE information: section name: .breaghe
Source: YfDl.dll	Static PE information: section name: .shunnab
Source: YfDl.dll	Static PE information: section name: .hemaut
Source: YfDl.dll	Static PE information: section name: .uncongr
Source: YfDl.dll	Static PE information: section name: .tonner
Source: YfDl.dll	Static PE information: section name: .jink
Source: YfDl.dll	Static PE information: section name: .stirles
Source: YfDl.dll	Static PE information: section name: .imper
Source: YfDl.dll	Static PE information: section name: .unsubve

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\YfDl.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10000083 push eax; iretd	0_2_100000B2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002120 push ecx; ret	0_2_10002129
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002173 push ecx; ret	0_2_10002183
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C00304 push dword ptr [ebp-00000280h]; ret	0_2_00C00373
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C007C8 push dword ptr [esp+0Ch]; ret	0_2_00C007DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C007C8 push dword ptr [esp+10h]; ret	0_2_00C00822
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C002D2 push dword ptr [ebp-00000280h]; ret	0_2_00C00477
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C004AF push dword ptr [ebp-00000280h]; ret	0_2_00C0065D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C004AF push dword ptr [ebp-00000288h]; ret	0_2_00C006B1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C004AF push dword ptr [esp+10h]; ret	0_2_00C007C7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C00478 push dword ptr [ebp-00000280h]; ret	0_2_00C004AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D2E0C7 push cs; ret	3_2_00D2E0C8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D2E458 push ds; retf	3_2_00D2E47A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D2ABC0 push ecx; ret	3_2_00D2ABC9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D2E163 push edx; iretd	3_2_00D2E164
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_00D2AF6F push ecx; ret	3_2_00D2AF7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_047DAF6F push ecx; ret	4_2_047DAF7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_047DABC0 push ecx; ret	4_2_047DABC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD02D2 push dword ptr [ebp-00000280h]; ret	4_2_02CD0477
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD04AF push dword ptr [ebp-00000280h]; ret	4_2_02CD065D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD04AF push dword ptr [ebp-00000288h]; ret	4_2_02CD06B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD04AF push dword ptr [esp+10h]; ret	4_2_02CD07C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD0478 push dword ptr [ebp-00000280h]; ret	4_2_02CD04AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD07C8 push dword ptr [esp+0Ch]; ret	4_2_02CD07DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD07C8 push dword ptr [esp+10h]; ret	4_2_02CD0822
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD0304 push dword ptr [ebp-00000280h]; ret	4_2_02CD0373
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE0478 push dword ptr [ebp-00000280h]; ret	6_2_02BE04AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE04AF push dword ptr [ebp-00000280h]; ret	6_2_02BE065D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE04AF push dword ptr [ebp-00000288h]; ret	6_2_02BE06B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE04AF push dword ptr [esp+10h]; ret	6_2_02BE07C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE02D2 push dword ptr [ebp-00000280h]; ret	6_2_02BE0477

Boot Survival:

Creates an undocumented autostart registry key

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser ITBar7Height

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.428802489.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310250645.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368506549.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385717547.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367471901.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295795718.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309722106.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259140674.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.366983460.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280402346.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309589226.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.415488289.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295762368.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295981429.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295901229.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310144792.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259178122.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.310335999.0000000005678000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428515499.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428837675.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367322753.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259099397.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.310021531.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321707074.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259250940.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280442585.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.343816596.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.395162233.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280372433.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.384858855.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364869086.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428611848.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.353270821.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259222797.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336223581.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365062749.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336185061.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.459586064.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368421655.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.460775914.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321756107.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309505620.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295849373.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310212383.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.474906529.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365099890.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364977228.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321909022.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309660073.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280191384.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368551599.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368346307.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295923025.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321848683.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.476957957.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367645140.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280276584.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280138372.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.258952943.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364937205.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385510006.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368531499.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368451118.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309974225.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368293297.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336096103.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385353671.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428554224.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336204746.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.408307408.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321555066.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309817966.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280343715.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.477641592.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309868338.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385676022.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385602355.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428457894.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.446732830.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322064190.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309919627.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336004164.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367145578.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309399685.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368387169.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295955814.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322004343.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280095345.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367427983.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310086165.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428746719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259048645.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364804810.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365132346.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367564193.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259264233.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385558639.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309887913.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385639765.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365018193.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321610655.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336054371.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309772523.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428583719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.430581205.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336145332.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367387100.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295722944.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.335927438.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6104, type: MEMORYSTR

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Found stalling execution ending in API Sleep call

Source: C:\Windows\SysWOW64\rundll32.exe

Stalling execution: Execution stalls by calling Sleep

Found evasive API chain checking for process token information

Source: C:\Windows\SysWOW64\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 2.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5028	Thread sleep count: 65 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6804	Thread sleep time: -1667865539s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001BAC LoadLibraryA,GetProcAddress,

0_2_10001BAC

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C007C8 mov eax, dword ptr fs:[00000030h]	0_2_00C007C8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C006DF mov eax, dword ptr fs:[00000030h]	0_2_00C006DF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C00823 mov eax, dword ptr fs:[00000030h]	0_2_00C00823
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C004AF mov eax, dword ptr fs:[00000030h]	0_2_00C004AF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C008B4 mov eax, dword ptr fs:[00000030h]	0_2_00C008B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD06DF mov eax, dword ptr fs:[00000030h]	4_2_02CD06DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD04AF mov eax, dword ptr fs:[00000030h]	4_2_02CD04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD08B4 mov eax, dword ptr fs:[00000030h]	4_2_02CD08B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD0823 mov eax, dword ptr fs:[00000030h]	4_2_02CD0823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02CD07C8 mov eax, dword ptr fs:[00000030h]	4_2_02CD07C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE08B4 mov eax, dword ptr fs:[00000030h]	6_2_02BE08B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE04AF mov eax, dword ptr fs:[00000030h]	6_2_02BE04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE0823 mov eax, dword ptr fs:[00000030h]	6_2_02BE0823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE06DF mov eax, dword ptr fs:[00000030h]	6_2_02BE06DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02BE07C8 mov eax, dword ptr fs:[00000030h]	6_2_02BE07C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD06DF mov eax, dword ptr fs:[00000030h]	13_2_02DD06DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD08B4 mov eax, dword ptr fs:[00000030h]	13_2_02DD08B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD04AF mov eax, dword ptr fs:[00000030h]	13_2_02DD04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD0823 mov eax, dword ptr fs:[00000030h]	13_2_02DD0823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_02DD07C8 mov eax, dword ptr fs:[00000030h]	13_2_02DD07C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF06DF mov eax, dword ptr fs:[00000030h]	14_2_02DF06DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF08B4 mov eax, dword ptr fs:[00000030h]	14_2_02DF08B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF04AF mov eax, dword ptr fs:[00000030h]	14_2_02DF04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF0823 mov eax, dword ptr fs:[00000030h]	14_2_02DF0823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02DF07C8 mov eax, dword ptr fs:[00000030h]	14_2_02DF07C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F208B4 mov eax, dword ptr fs:[00000030h]	25_2_02F208B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F20823 mov eax, dword ptr fs:[00000030h]	25_2_02F20823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F204AF mov eax, dword ptr fs:[00000030h]	25_2_02F204AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F206DF mov eax, dword ptr fs:[00000030h]	25_2_02F206DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_02F207C8 mov eax, dword ptr fs:[00000030h]	25_2_02F207C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE08B4 mov eax, dword ptr fs:[00000030h]	31_2_02BE08B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE04AF mov eax, dword ptr fs:[00000030h]	31_2_02BE04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE0823 mov eax, dword ptr fs:[00000030h]	31_2_02BE0823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE06DF mov eax, dword ptr fs:[00000030h]	31_2_02BE06DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_02BE07C8 mov eax, dword ptr fs:[00000030h]	31_2_02BE07C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_008304AF mov eax, dword ptr fs:[00000030h]	36_2_008304AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_008308B4 mov eax, dword ptr fs:[00000030h]	36_2_008308B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_008306DF mov eax, dword ptr fs:[00000030h]	36_2_008306DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_00830823 mov eax, dword ptr fs:[00000030h]	36_2_00830823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_008307C8 mov eax, dword ptr fs:[00000030h]	36_2_008307C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_04780823 mov eax, dword ptr fs:[00000030h]	37_2_04780823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_047806DF mov eax, dword ptr fs:[00000030h]	37_2_047806DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_047808B4 mov eax, dword ptr fs:[00000030h]	37_2_047808B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_047804AF mov eax, dword ptr fs:[00000030h]	37_2_047804AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 37_2_047807C8 mov eax, dword ptr fs:[00000030h]	37_2_047807C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B08B4 mov eax, dword ptr fs:[00000030h]	41_2_029B08B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B04AF mov eax, dword ptr fs:[00000030h]	41_2_029B04AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B06DF mov eax, dword ptr fs:[00000030h]	41_2_029B06DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B0823 mov eax, dword ptr fs:[00000030h]	41_2_029B0823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 41_2_029B07C8 mov eax, dword ptr fs:[00000030h]	41_2_029B07C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_032407C8 mov eax, dword ptr fs:[00000030h]	42_2_032407C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_03240823 mov eax, dword ptr fs:[00000030h]	42_2_03240823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_032404AF mov eax, dword ptr fs:[00000030h]	42_2_032404AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_032408B4 mov eax, dword ptr fs:[00000030h]	42_2_032408B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 42_2_032406DF mov eax, dword ptr fs:[00000030h]	42_2_032406DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_034907C8 mov eax, dword ptr fs:[00000030h]	44_2_034907C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_034906DF mov eax, dword ptr fs:[00000030h]	44_2_034906DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_034904AF mov eax, dword ptr fs:[00000030h]	44_2_034904AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_03490823 mov eax, dword ptr fs:[00000030h]	44_2_03490823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_034908B4 mov eax, dword ptr fs:[00000030h]	44_2_034908B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D906DF mov eax, dword ptr fs:[00000030h]	46_2_02D906DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D908B4 mov eax, dword ptr fs:[00000030h]	46_2_02D908B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D904AF mov eax, dword ptr fs:[00000030h]	46_2_02D904AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D90823 mov eax, dword ptr fs:[00000030h]	46_2_02D90823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 46_2_02D907C8 mov eax, dword ptr fs:[00000030h]	46_2_02D907C8

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\YfDl.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.475289319.0000000001FA0000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.476551144.0000000003320000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.476286482.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.475289319.0000000001FA0000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.476551144.0000000003320000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.476286482.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.475289319.0000000001FA0000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.476551144.0000000003320000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.476286482.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.475289319.0000000001FA0000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.476551144.0000000003320000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.476286482.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_00D29135 cpuid

3_2_00D29135

Source: C:\Windows\System32\loaddll32.exe

0_2_10001456

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_00D29135 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

3_2_00D29135

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_10001F0E

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.428802489.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310250645.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368506549.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385717547.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367471901.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295795718.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309722106.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259140674.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.366983460.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280402346.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309589226.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.415488289.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295762368.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295981429.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295901229.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310144792.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259178122.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.310335999.0000000005678000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428515499.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428837675.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367322753.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259099397.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.310021531.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321707074.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259250940.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280442585.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.343816596.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.395162233.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280372433.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.384858855.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364869086.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428611848.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.353270821.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259222797.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336223581.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365062749.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336185061.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.459586064.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368421655.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.460775914.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321756107.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309505620.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295849373.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310212383.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.474906529.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365099890.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364977228.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321909022.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309660073.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280191384.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368551599.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368346307.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295923025.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321848683.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.476957957.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367645140.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280276584.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280138372.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.258952943.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364937205.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385510006.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368531499.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368451118.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309974225.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368293297.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336096103.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385353671.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428554224.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336204746.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.408307408.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321555066.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309817966.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280343715.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.477641592.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309868338.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385676022.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385602355.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428457894.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.446732830.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322064190.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309919627.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336004164.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367145578.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309399685.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368387169.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295955814.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322004343.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280095345.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367427983.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310086165.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428746719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259048645.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364804810.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365132346.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367564193.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259264233.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385558639.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309887913.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385639765.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365018193.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321610655.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336054371.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309772523.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428583719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.430581205.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336145332.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367387100.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295722944.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.335927438.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6104, type: MEMORYSTR

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.428802489.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310250645.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368506549.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385717547.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367471901.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295795718.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309722106.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259140674.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.366983460.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280402346.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309589226.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.415488289.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295762368.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295981429.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295901229.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310144792.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259178122.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.310335999.0000000005678000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428515499.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428837675.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367322753.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259099397.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.310021531.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321707074.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259250940.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280442585.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.343816596.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.395162233.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280372433.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.384858855.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364869086.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428611848.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.353270821.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259222797.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336223581.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365062749.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336185061.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.459586064.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368421655.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.460775914.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321756107.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309505620.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295849373.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310212383.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.474906529.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365099890.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364977228.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321909022.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309660073.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280191384.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368551599.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368346307.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295923025.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321848683.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.476957957.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367645140.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280276584.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280138372.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.258952943.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364937205.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385510006.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368531499.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368451118.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309974225.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368293297.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336096103.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385353671.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428554224.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336204746.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.408307408.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321555066.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309817966.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280343715.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.477641592.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309868338.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385676022.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385602355.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428457894.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.446732830.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322064190.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.309919627.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336004164.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367145578.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309399685.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.368387169.0000000006CE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295955814.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.322004343.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280095345.0000000004988000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367427983.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.310086165.0000000006638000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428746719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259048645.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.364804810.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365132346.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367564193.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.259264233.00000000053A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385558639.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309887913.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.385639765.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.365018193.0000000006958000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.321610655.0000000007408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336054371.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.309772523.0000000005108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428583719.0000000001D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.430581205.0000000006DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.336145332.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.367387100.0000000006D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295722944.0000000007198000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.335927438.0000000006E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6104, type: MEMORYSTR

ID:	457500
Product:	CloudBasic
Start time:	15:00:27
Start date:	01.08.2021
Sample:	YfDl.bin
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	499200f6a8e223c057c6e16701740721
SHA1:	ef46f9c62b94715b750173074c51100285ff6fe9
SHA256:	d7e64f8e65ce586ce2f0a857810b2a23f85140bf5e52e5a824f09787fb2bf45e
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report YfDl.bin

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs