Windows Analysis Report qT9Qk5aKTk.dll

Overview

General Information

Sample Name: qT9Qk5aKTk.dll
Analysis ID: 481107
MD5: 58d9e2906f42336e9bee1137b4cf5839
SHA1: 7f29e42f6d317d7b11ad164a672e91e4515b5bc0
SHA256: a9a0db068a2ed9c7b9b3cdbe7f3c1c82a6f9d2c1c7d4b820820927da004b6cbf
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
Writes or reads registry keys via WMI
PE file has nameless sections
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Registers a DLL
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: qT9Qk5aKTk.dll Virustotal: Detection: 80% Perma Link
Source: qT9Qk5aKTk.dll Metadefender: Detection: 59% Perma Link
Source: qT9Qk5aKTk.dll ReversingLabs: Detection: 82%
Antivirus / Scanner detection for submitted sample
Source: qT9Qk5aKTk.dll Avira: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.loaddll32.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 19.0.rundll32.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 33.2.rundll32.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 19.2.rundll32.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 19.0.rundll32.exe.400000.2.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 3.2.rundll32.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: qT9Qk5aKTk.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
Source: unknown HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.7:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.7:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.2.70:443 -> 192.168.2.7:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.2.70:443 -> 192.168.2.7:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.19.102:443 -> 192.168.2.7:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.19.102:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.7:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.7:49780 version: TLS 1.2
Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb& source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000029.00000003.411166142.0000000005353000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411166142.0000000005353000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb) source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: mpr.pdbm/pZ source: WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb3 source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source: Binary string: sfc.pdbn.xP source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000023.00000003.376951522.00000000056E4000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000023.00000003.363884828.00000000053A3000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbN~g source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbU^ source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb= source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000023.00000003.376951522.00000000056E4000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source: Binary string: CoreUIComponents.pdbn'xY source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F912D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_02F912D4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_023E12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 2_2_023E12D4

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49824 -> 13.225.29.191:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.7:49887 -> 13.225.29.191:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49887 -> 13.225.29.191:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.7:49935 -> 13.225.29.204:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49935 -> 13.225.29.204:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49938 -> 13.225.29.191:80
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: de-ch[1].htm.6.dr String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.6.dr String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.6.dr String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
Source: WerFault.exe, 00000023.00000002.429475012.0000000005347000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.453464879.0000000004DF2000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: de-ch[1].htm.6.dr String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.6.dr String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[1].htm.6.dr String found in binary or memory: http://popup.taboola.com/german
Source: ~DF8EB834D22FF64704.TMP.4.dr String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: de-ch[1].htm.6.dr String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.6.dr String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&amp;ap
Source: de-ch[1].htm.6.dr String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
Source: auction[1].htm.6.dr String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=_pGcdKMGIS.z.lCTqTjkg1MN5VDhw.LVmKPE.vsvy8xqR9tt
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[1].htm.6.dr String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html&quot;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
Source: de-ch[1].htm.6.dr String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.6.dr String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=21863656
Source: de-ch[1].htm.6.dr String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24545562
Source: de-ch[1].htm.6.dr String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24545562&amp;epi=de-ch
Source: de-ch[1].htm.6.dr String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&amp;a=3064090&amp;g=24886692
Source: ~DF8EB834D22FF64704.TMP.4.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.6.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.6.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
Source: de-ch[1].htm.6.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
Source: ~DF8EB834D22FF64704.TMP.4.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DF8EB834D22FF64704.TMP.4.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[1].htm.6.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: auction[1].htm.6.dr String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&amp;es=ofrom5sGIS_KXxy9_JDp4mX9JHjHM.c541SmqMEFZwTH
Source: de-ch[1].htm.6.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1631265095&amp;rver=7.0.6730.0&am
Source: de-ch[1].htm.6.dr String found in binary or memory: https://login.live.com/logout.srf?ct=1631265096&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
Source: de-ch[1].htm.6.dr String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1631265095&amp;rver=7.0.6730.0&amp;w
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.6.dr String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.6.dr String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.6.dr String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
Source: auction[1].htm.6.dr String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: ~DF8EB834D22FF64704.TMP.4.dr String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: auction[1].htm.6.dr String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BWUYr.M5U6.kf035wsX8Lg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: de-ch[1].htm.6.dr String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
Source: de-ch[1].htm.6.dr String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.6.dr String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
Source: auction[1].htm.6.dr String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=8579855945c54b10b74180716ce798ce&amp;r=infopane&amp;i=3&
Source: imagestore.dat.4.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOgGQ4.img?h=368&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
Source: de-ch[1].htm.6.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.6.dr String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?&quot;
Source: de-ch[1].htm.6.dr String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.6.dr String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&amp;awinaffid=696593&amp;clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-edge-dhp-river
Source: iab2Data[1].json.6.dr String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.ebay.ch/?mkcid=1&amp;mkrid=5222-53480-19255-0&amp;siteid=193&amp;campid=5338626668&amp;t
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DF8EB834D22FF64704.TMP.4.dr String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
Source: ~DF8EB834D22FF64704.TMP.4.dr String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpo
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/die-schulen-sind-am-anschlag-ansteckungen-unter-ki
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/mit-dem-neubau-der-zurich-versicherung-ist-ein-wei
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/wie-ein-engl%c3%a4nder-seine-schwangere-frau-vor-c
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/betrunkener-kia-fahrer-30-streift-polizeiauto-und-haut-ab/ar-AA
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/blaualgen-tr%c3%bcben-den-z%c3%bcrichsee-bei-freienbach/ar-AAOf
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/frau-hielt-schafe-im-badezimmer-ihrer-mietwohnung/ar-AAOhQkc?oc
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/kanton-z%c3%bcrich-beerdigt-westtangente-wetzikon/ar-AAOi8HP?oc
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/nach-13-positiven-tests-drei-klassen-m%c3%bcssen-in-quarant%c3%
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/v%c3%b6llig-absurd-f%c3%bcnftkl%c3%a4ssler-m%c3%bcssen-trotz-qu
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/sport/other/seit-corona-kommt-es-vermehrt-zu-t%c3%a4tlichkeiten/ar-AAOf1Pv
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
Source: de-ch[1].htm.6.dr String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.6.dr String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.6.dr String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.6.dr String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: unknown DNS traffic detected: queries for: www.msn.com
Source: global traffic HTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: geolocation.onetrust.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /px.gif?ch=1&e=0.7442770494067928 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-AliveCookie: IDE=AHWqTUmLaOp9iEghuZm4P0dJw9hUfO3C-7WsvHHj8XxLUXDn8JvgU1zZASjuR4p3
Source: global traffic HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F07804453bf90da635cf952e3d393ab12.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F26b7c43e8735f7408c60e41fb7e91ecd.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /lo/api/res/1.2/BWUYr.M5U6.kf035wsX8Lg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1621266752856-586.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: s.yimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F11b9f069e5e00ff6dd3050259af20493.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/ljDNkkzbV4a6qGMM6/1HExUGmQXVwO/frwWBEjdrZ4/d5S8UlSiYa0DzX/el9J2qXVIUyYCxMHHr91X/kizLttMGapdo5SvF/olXlCBP7aPqDsmB/ICQ2HKBamF1i_2Fxdj/ZsDmjnqFK/ytn9Ymr2xJl5Qy4kiXVc/IQDWlUGPzShrNYAjXzf/JPSl_2BD7pWwAJFNY_2B0f/3A3oDAh_2BF9_/2BxYBJaFI/UpWol9RI.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/cCdYQdt2tX8RhHk/neYfmVtOu_2BWHOxaX/ecV9VJIhq/XE4M5D_2FzTYipgQVzFy/24_2BtaWyVjXI2M_2FX/wa66wgzPqWCXC0kGRqyEUL/snesyfGZeTgvJ/569YwYUH/U86MzznZ70JhRKq9sWcaTd1/Hzb_2FFW0u/GZ5sESPD_2B5JLMQh/7K5kxREyrQ1n/mKmdzEvi70Tv5/6xorN.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/pHWWVyKJpE2g/nNZcTMutRbw/CCuOk7RvdVCDGz/STh4ftwA407S9VDDkvBy4/G7M_2BJ4E2bGBbf7/N4t3UKgsWntjM7M/mhCOIjxjlHyX4RUX7Q/Rdq3ib1hF/2fWqDSaJ9GA2yVZ_2Bgz/9iFlTX9OFyKHKxrjQJU/JYzhGNAUNkUKgLpHHU6bLf/nZUT_2BcMHeCkKwcWj/aMt.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/1mUl4vSxMxI/e7HhiI3PfruX2m/qXVt2BLImZpNU2AUWYoPx/KJXoqE51DtcFrNZ_/2BgDE50_2B2je1s/48lZWMnPdCpHd_2FFy/Vcq64rYip/9aN0bRvWizmkP5fXR2T3/jiHfK2wSGdTtZ8VP53I/SUMESuf_2FBQAkd3zXxfOT/_2BcxECgxKRoa/s8ZW5dhr/E0BgSy4u3Bh6HSi/j.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.7:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.7:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.2.70:443 -> 192.168.2.7:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.2.70:443 -> 192.168.2.7:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.19.102:443 -> 192.168.2.7:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.19.102:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.7:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.7:49780 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000002C.00000003.488597994.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322676857.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474137548.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322202508.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.473987515.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322499280.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.488543169.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.504757746.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.417091528.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.530490300.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.488696812.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.416892582.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.488440717.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.416449935.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.473902712.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.505290500.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474356584.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.417147272.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.416620379.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.505377175.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.488723167.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.504698368.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.417041948.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474088169.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.528892428.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.504300183.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322381939.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322406561.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.504841805.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322337741.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474318739.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322575665.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.504617318.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.504419460.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.488754897.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474399932.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.488667528.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.488635694.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.416772424.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.530985686.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322291731.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474430335.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.416968580.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5828, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7100, type: MEMORYSTR
Source: Yara match File source: 25.2.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.rundll32.exe.510000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.47e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.rundll32.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.rundll32.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.26d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.rundll32.exe.49a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.26d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.rundll32.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.rundll32.exe.3ef0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.rundll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.rundll32.exe.3ef0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.rundll32.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 43.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.7f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.33b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.rundll32.exe.3ef0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.rundll32.exe.2df0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.27c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.rundll32.exe.32a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.rundll32.exe.2a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.rundll32.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.rundll32.exe.3ef0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.rundll32.exe.2ad0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.310878760.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.420794237.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.345060840.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.518028253.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.294274391.0000000003610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.522287201.0000000002CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.522835823.00000000026D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.520736013.0000000002DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.340961934.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.441408261.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.426506350.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.502483591.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.366167651.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.346648661.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.512763307.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.433128810.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.329480680.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.513121198.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000002.464297747.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.380004706.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.523877392.00000000027C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.305530234.00000000047E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.372926133.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.438165350.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.342868805.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.320841608.00000000007F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.459018631.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.389489795.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.364022083.0000000003EF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.347833864.0000000000920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.371029885.0000000003EF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.477089969.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.512650162.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.361319898.0000000000510000.00000040.00000001.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000002C.00000003.488597994.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322676857.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474137548.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322202508.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.473987515.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322499280.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.488543169.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.504757746.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.417091528.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.530490300.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.488696812.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.416892582.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.488440717.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.416449935.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.473902712.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.505290500.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474356584.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.417147272.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.416620379.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.505377175.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.488723167.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.504698368.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.417041948.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474088169.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.528892428.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.504300183.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322381939.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322406561.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.504841805.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322337741.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474318739.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322575665.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.504617318.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.504419460.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.488754897.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474399932.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.488667528.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.488635694.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.416772424.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.530985686.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322291731.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474430335.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.416968580.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5828, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7100, type: MEMORYSTR
Source: Yara match File source: 25.2.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.rundll32.exe.510000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.47e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.rundll32.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.rundll32.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.26d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.rundll32.exe.49a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.26d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.rundll32.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.rundll32.exe.3ef0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.rundll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.rundll32.exe.3ef0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.rundll32.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 43.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.7f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.33b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.rundll32.exe.3ef0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.rundll32.exe.2df0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.27c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.rundll32.exe.32a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.rundll32.exe.2a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.rundll32.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.rundll32.exe.3ef0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.rundll32.exe.2ad0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.310878760.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.420794237.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.345060840.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.518028253.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.294274391.0000000003610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.522287201.0000000002CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.522835823.00000000026D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.520736013.0000000002DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.340961934.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.441408261.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.426506350.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.502483591.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.366167651.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.346648661.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.512763307.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.433128810.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.329480680.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.513121198.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000002.464297747.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.380004706.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.523877392.00000000027C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.305530234.00000000047E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.372926133.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.438165350.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.342868805.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.320841608.00000000007F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.459018631.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.389489795.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.364022083.0000000003EF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.347833864.0000000000920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.371029885.0000000003EF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.477089969.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.512650162.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.361319898.0000000000510000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
PE file has nameless sections
Source: qT9Qk5aKTk.dll Static PE information: section name:
Source: qT9Qk5aKTk.dll Static PE information: section name:
Source: qT9Qk5aKTk.dll Static PE information: section name:
Source: qT9Qk5aKTk.dll Static PE information: section name:
Source: qT9Qk5aKTk.dll Static PE information: section name:
Source: qT9Qk5aKTk.dll Static PE information: section name:
Source: qT9Qk5aKTk.dll Static PE information: section name:
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: qT9Qk5aKTk.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 820
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00402154 0_2_00402154
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F94094 0_2_02F94094
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F997F2 0_2_02F997F2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F9B11C 0_2_02F9B11C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_026D2154 2_2_026D2154
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_023E4094 2_2_023E4094
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_023EB11C 2_2_023EB11C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_023E97F2 2_2_023E97F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_031BB11C 3_2_031BB11C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_031B97F2 3_2_031B97F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_031B4094 3_2_031B4094
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_031B554A 3_2_031B554A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_031B27A7 3_2_031B27A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_031B44A2 3_2_031B44A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_04C34094 33_2_04C34094
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_04C397F2 33_2_04C397F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_04C3B11C 33_2_04C3B11C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_04C344A2 33_2_04C344A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_04C327A7 33_2_04C327A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_04C3554A 33_2_04C3554A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 43_2_050AB11C 43_2_050AB11C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 43_2_050A97F2 43_2_050A97F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 43_2_050A4094 43_2_050A4094
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 43_2_050A554A 43_2_050A554A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 43_2_050A27A7 43_2_050A27A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 43_2_050A44A2 43_2_050A44A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 44_2_04C34094 44_2_04C34094
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 44_2_04C397F2 44_2_04C397F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 44_2_04C3B11C 44_2_04C3B11C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 44_2_04C344A2 44_2_04C344A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 44_2_04C327A7 44_2_04C327A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 44_2_04C3554A 44_2_04C3554A
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00401D9F NtMapViewOfSection, 0_2_00401D9F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00401EB5 GetProcAddress,NtCreateSection,memset, 0_2_00401EB5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00402375 NtQueryVirtualMemory, 0_2_00402375
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F983B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_02F983B7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F9B341 NtQueryVirtualMemory, 0_2_02F9B341
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01360066 NtAllocateVirtualMemory, 0_2_01360066
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0136009C NtAllocateVirtualMemory, 0_2_0136009C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01360285 NtProtectVirtualMemory, 0_2_01360285
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_026D1EB5 GetProcAddress,NtCreateSection,memset, 2_2_026D1EB5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_026D1D9F NtMapViewOfSection, 2_2_026D1D9F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_026D2375 NtQueryVirtualMemory, 2_2_026D2375
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_023E83B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 2_2_023E83B7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_023EB341 NtQueryVirtualMemory, 2_2_023EB341
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_035E009C NtAllocateVirtualMemory, 5_2_035E009C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_035E0066 NtAllocateVirtualMemory, 5_2_035E0066
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_035E0285 NtProtectVirtualMemory, 5_2_035E0285
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_02FF009C NtAllocateVirtualMemory, 9_2_02FF009C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_02FF0066 NtAllocateVirtualMemory, 9_2_02FF0066
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_02FF0285 NtProtectVirtualMemory, 9_2_02FF0285
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_02AE0066 NtAllocateVirtualMemory, 12_2_02AE0066
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_02AE0285 NtProtectVirtualMemory, 12_2_02AE0285
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_02AE009C NtAllocateVirtualMemory, 12_2_02AE009C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_03290285 NtProtectVirtualMemory, 19_2_03290285
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_03290066 NtAllocateVirtualMemory, 19_2_03290066
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_0329009C NtAllocateVirtualMemory, 19_2_0329009C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_008A0066 NtAllocateVirtualMemory, 24_2_008A0066
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_008A0285 NtProtectVirtualMemory, 24_2_008A0285
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 24_2_008A009C NtAllocateVirtualMemory, 24_2_008A009C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 29_2_0092009C NtAllocateVirtualMemory, 29_2_0092009C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 29_2_00920066 NtAllocateVirtualMemory, 29_2_00920066
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 29_2_00920285 NtProtectVirtualMemory, 29_2_00920285
Sample file is different than original file name gathered from version info
Source: qT9Qk5aKTk.dll Binary or memory string: OriginalFilenameRPCTEST.DLL vs qT9Qk5aKTk.dll
PE file contains strange resources
Source: qT9Qk5aKTk.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qT9Qk5aKTk.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll32.exe Section loaded: @ .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ? .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: > .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: = .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: < .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ; .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: : .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 9 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 8 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 7 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 6 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 5 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 4 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 3 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 2 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 1 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 0 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: - .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: , .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: + .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: * .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ) .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ( .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ' .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: & .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: % .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: $ .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: # .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ' .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ! .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ~ .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: } .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: | .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: { .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: z .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: y .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: x .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: w .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: v .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: u .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: t .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: s .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: r .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: q .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: p .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: o .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: n .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: m .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: l .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: k .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: j .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: i .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: h .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: g .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: f .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: e .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: d .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: c .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: b .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: a .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ` .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: _ .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ^ .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ] .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: [ .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: z .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: y .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: x .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: w .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: v .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: u .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: t .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: s .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: r .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: q .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: p .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: o .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: n .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: m .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: l .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: k .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: j .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: i .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: h .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: g .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: f .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: e .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: d .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: c .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: b .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: a .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: @ .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ? .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: > .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: = .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: < .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ; .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: : .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 9 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 8 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 7 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 6 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 5 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 4 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 3 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 2 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 1 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: 0 .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: - .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: , .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: + .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: * .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ) .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ( .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ' .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: & .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: % .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: $ .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: # .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ' .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ! .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior