Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3FLps29lWm

Overview

General Information

Sample Name:3FLps29lWm (renamed file extension from none to dll)
Analysis ID:483800
MD5:0636cf8dafa624e524ad748f38d22240
SHA1:b347c65c5add7e2fb16fe30cedf46f57fd1eaa56
SHA256:586999eb0a767ffedcc169d7aead09ebfc1528998def72fc9c5e4bfb245b1abc
Tags:Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Sigma detected: System File Execution Location Anomaly
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sigma detected: Regsvr32 Command Line Without DLL
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to get notified if a device is plugged in / out
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
Potential key logger detected (key state polling based)
Registers a DLL
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6348 cmdline: loaddll64.exe 'C:\Users\user\Desktop\3FLps29lWm.dll' MD5: A84133CCB118CF35D49A423CD836D0EF)
    • cmd.exe (PID: 6384 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3FLps29lWm.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 6420 cmdline: rundll32.exe 'C:\Users\user\Desktop\3FLps29lWm.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • regsvr32.exe (PID: 6408 cmdline: regsvr32.exe /s C:\Users\user\Desktop\3FLps29lWm.dll MD5: D78B75FC68247E8A63ACBA846182740E)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rstrui.exe (PID: 3180 cmdline: C:\Windows\system32\rstrui.exe MD5: 3E8AFFA54035412F86663C8B44CAA2E5)
        • rstrui.exe (PID: 1708 cmdline: C:\Users\user\AppData\Local\UIPe\rstrui.exe MD5: 3E8AFFA54035412F86663C8B44CAA2E5)
        • Taskmgr.exe (PID: 4600 cmdline: C:\Windows\system32\Taskmgr.exe MD5: CB8FE4DA1AF43E62BAA6A4CBE0A93A74)
        • Taskmgr.exe (PID: 4860 cmdline: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe MD5: CB8FE4DA1AF43E62BAA6A4CBE0A93A74)
        • FXSCOVER.exe (PID: 748 cmdline: C:\Windows\system32\FXSCOVER.exe MD5: BEAB16FEFCB7F62BBC135FB87DF7FDF2)
        • FXSCOVER.exe (PID: 5492 cmdline: C:\Users\user\AppData\Local\lFQXVd7\FXSCOVER.exe MD5: BEAB16FEFCB7F62BBC135FB87DF7FDF2)
        • mstsc.exe (PID: 4872 cmdline: C:\Windows\system32\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)
        • mstsc.exe (PID: 2456 cmdline: C:\Users\user\AppData\Local\yeShxe\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)
    • iexplore.exe (PID: 6448 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 6580 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6448 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • rundll32.exe (PID: 6516 cmdline: rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BeginBufferedAnimation MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6772 cmdline: rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BeginBufferedPaint MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6944 cmdline: rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BeginPanningFeedback MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7000 cmdline: rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintClear MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7076 cmdline: rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintInit MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5264 cmdline: rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintRenderAnimation MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2740 cmdline: rundll32.exe C:\Users\user\Desktop\3FLps29lWm.dll,BufferedPaintSetAlpha MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000002B.00000002.479085760.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    0000000A.00000002.235930456.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000027.00000002.448796911.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        0000000C.00000002.246415321.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000007.00000002.228897543.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 7 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: System File Execution Location AnomalyShow sources
            Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe, CommandLine: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe, NewProcessName: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe, OriginalFileName: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3388, ProcessCommandLine: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exe, ProcessId: 4860
            Sigma detected: Regsvr32 Command Line Without DLLShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Explorer.EXE, CommandLine: C:\Windows\Explorer.EXE, CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: regsvr32.exe /s C:\Users\user\Desktop\3FLps29lWm.dll, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 6408, ProcessCommandLine: C:\Windows\Explorer.EXE, ProcessId: 3388

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: 3FLps29lWm.dllVirustotal: Detection: 71%Perma Link
            Source: 3FLps29lWm.dllMetadefender: Detection: 62%Perma Link
            Source: 3FLps29lWm.dllReversingLabs: Detection: 75%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 3FLps29lWm.dllAvira: detected
            Machine Learning detection for sampleShow sources
            Source: 3FLps29lWm.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exeCode function: 43_2_00007FF60108F8FC CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,43_2_00007FF60108F8FC
            Source: C:\Users\user\AppData\Local\yeShxe\mstsc.exeCode function: 43_2_00007FF60108F52C CryptProtectData,LocalAlloc,LocalFree,43_2_00007FF60108F52C
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49762 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49761 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.3:49777 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.3:49776 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.3:49782 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.3:49783 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.3:49785 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.3:49784 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49811 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49810 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49815 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49814 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49813 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49812 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49816 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49817 version: TLS 1.2
            Source: 3FLps29lWm.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: FXSCOVER.pdb source: FXSCOVER.exe, 00000027.00000002.451597797.00007FF753F02000.00000002.00020000.sdmp, FXSCOVER.exe.9.dr
            Source: Binary string: Taskmgr.pdbUGP source: Taskmgr.exe, 00000021.00000002.410121511.00007FF678813000.00000002.00020000.sdmp, Taskmgr.exe.9.dr
            Source: Binary string: dialer.pdbGCTL source: dialer.exe.9.dr
            Source: Binary string: FXSCOVER.pdbGCTL source: FXSCOVER.exe, 00000027.00000002.451597797.00007FF753F02000.00000002.00020000.sdmp, FXSCOVER.exe.9.dr
            Source: Binary string: Taskmgr.pdb source: Taskmgr.exe, 00000021.00000002.410121511.00007FF678813000.00000002.00020000.sdmp, Taskmgr.exe.9.dr
            Source: Binary string: rstrui.pdbGCTL source: rstrui.exe, 0000001B.00000000.343039764.00007FF7010B1000.00000002.00020000.sdmp, rstrui.exe.9.dr
            Source: Binary string: rstrui.pdb source: rstrui.exe, 0000001B.00000000.343039764.00007FF7010B1000.00000002.00020000.sdmp, rstrui.exe.9.dr
            Source: Binary string: mstsc.pdbGCTL source: mstsc.exe, 0000002B.00000000.457004471.00007FF601134000.00000002.00020000.sdmp, mstsc.exe.9.dr
            Source: Binary string: dialer.pdb source: dialer.exe.9.dr
            Source: Binary string: mstsc.pdb source: mstsc.exe, 0000002B.00000000.457004471.00007FF601134000.00000002.00020000.sdmp, mstsc.exe.9.dr
            Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exeCode function: 33_2_00007FF6787B1570 EnterCriticalSection,UnregisterDeviceNotification,GetLastError,CloseHandle,GetProcessHeap,HeapFree,SysFreeString,GetProcessHeap,HeapFree,33_2_00007FF6787B1570
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014005D290 FindFirstFileExW,3_2_000000014005D290
            Source: C:\Users\user\AppData\Local\UIPe\rstrui.exeCode function: 27_2_00007FF7010A5FEC memset,memset,FindFirstFileW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,FindClose,27_2_00007FF7010A5FEC
            Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exeCode function: 33_2_00007FF6787A9374 GetLogicalDriveStringsW,QueryDosDeviceW,GetLastError,_wcsnicmp,33_2_00007FF6787A9374
            Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
            Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
            Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
            Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
            Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
            Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
            Source: de-ch[1].htm.8.drString found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000009.00000000.262491511.000000000F788000.00000004.00000001.sdmpString found in binary or memory: :2021091520210916: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
            Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x1606e68c,0x01d7aa75</date><accdate>0x1606e68c,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x1606e68c,0x01d7aa75</date><accdate>0x1606e68c,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x16106db3,0x01d7aa75</date><accdate>0x16106db3,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x16106db3,0x01d7aa75</date><accdate>0x16106db3,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x16106db3,0x01d7aa75</date><accdate>0x16106db3,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x16106db3,0x01d7aa75</date><accdate>0x16106db3,0x01d7aa75</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: de-ch[1].htm.8.drString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
            Source: de-ch[1].htm.8.drString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
            Source: de-ch[1].htm.8.drString found in binary or memory: http://ogp.me/ns#
            Source: de-ch[1].htm.8.drString found in binary or memory: http://ogp.me/ns/fb#
            Source: auction[1].htm.8.drString found in binary or memory: http://popup.taboola.com/german
            Source: ~DF98125A3D199168E4.TMP.5.drString found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
            Source: msapplication.xml.5.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.5.drString found in binary or memory: http://www.google.com/
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
            Source: msapplication.xml2.5.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.5.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.5.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.5.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.5.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.5.drString found in binary or memory: http://www.youtube.com/
            Source: de-ch[1].htm.8.drString found in binary or memory: https://amzn.to/2TTxhNg
            Source: auction[1].htm.8.drString found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&amp;ap
            Source: de-ch[1].htm.8.drString found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
            Source: auction[1].htm.8.drString found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=21x0e_sGIS.ilIXooL5YSf3vyStZlGxuE54fPm01Hak3octV
            Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
            Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
            Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
            Source: auction[1].htm.8.drString found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html&quot;
            Source: de-ch[1].htm.8.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
            Source: de-ch[1].htm.8.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
            Source: de-ch[1].htm.8.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_promotionalstripe_na
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://client-s.gateway.messenger.live.com
            Source: de-ch[1].htm.8.drString found in binary or memory: https://clk.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=21863656
            Source: de-ch[1].htm.8.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24545562&amp;epi=de-ch
            Source: de-ch[1].htm.8.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&amp;a=3064090&amp;g=24886692
            Source: ~DF98125A3D199168E4.TMP.5.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: de-ch[1].htm.8.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
            Source: de-ch[1].htm.8.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
            Source: de-ch[1].htm.8.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
            Source: ~DF98125A3D199168E4.TMP.5.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: ~DF98125A3D199168E4.TMP.5.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
            Source: auction[1].htm.8.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
            Source: auction[1].htm.8.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
            Source: auction[1].htm.8.drString found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&amp;es=omzXyQIGIS9RP7Ab2JdB6y2LE1eAUMyavr58923CVFzR
            Source: de-ch[1].htm.8.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1631707355&amp;rver=7.0.6730.0&am
            Source: de-ch[1].htm.8.drString found in binary or memory: https://login.live.com/logout.srf?ct=1631707356&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
            Source: de-ch[1].htm.8.drString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1631707355&amp;rver=7.0.6730.0&amp;w
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
            Source: de-ch[1].htm.8.drString found in binary or memory: https://marketing.outbrain.com/network/redir?p=v32QGHAgJSsc5iQUmc_8pzjvwpvCgGeqUtF8mqZlq22g-2MjMNlW2
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://onedrive.live.com/#qt=mru
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
            Source: de-ch[1].htm.8.drString found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://onedrive.live.com/about/en/download/
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://onedrive.live.com;Fotos
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://onedrive.live.com;OneDrive-App
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
            Source: de-ch[1].htm.8.drString found in binary or memory: https://outlook.com/
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://outlook.live.com/calendar
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
            Source: de-ch[1].htm.8.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
            Source: de-ch[1].htm.8.drString found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
            Source: auction[1].htm.8.drString found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
            Source: ~DF98125A3D199168E4.TMP.5.drString found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
            Source: auction[1].htm.8.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
            Source: de-ch[1].htm.8.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
            Source: de-ch[1].htm.8.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-shoppingstripe-nav
            Source: de-ch[1].htm.8.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
            Source: auction[1].htm.8.drString found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=a4ddd93dd52947cd82240d0d2c0c03b6&amp;r=infopane&amp;i=1&
            Source: imagestore.dat.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: de-ch[1].htm.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
            Source: de-ch[1].htm.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOrf3O.img?h=368&amp;
            Source: de-ch[1].htm.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
            Source: de-ch[1].htm.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&amp;
            Source: de-ch[1].htm.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
            Source: de-ch[1].htm.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
            Source: de-ch[1].htm.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
            Source: de-ch[1].htm.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://support.skype.com
            Source: de-ch[1].htm.8.drString found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?&quot;
            Source: de-ch[1].htm.8.drString found in binary or memory: https://twitter.com/
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://twitter.com/i/notifications;Ich
            Source: de-ch[1].htm.8.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&amp;awinaffid=696593&amp;clickref=dech-edge-dhp-infopa
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-edge-dhp-river
            Source: iab2Data[1].json.8.drString found in binary or memory: https://www.bidstack.com/privacy-policy/
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.ebay.ch/?mkcid=1&amp;mkrid=5222-53480-19255-0&amp;siteid=193&amp;campid=5338626668&amp;t
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/
            Source: ~DF98125A3D199168E4.TMP.5.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
            Source: explorer.exe, 00000009.00000000.262491511.000000000F788000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN
            Source: ~DF98125A3D199168E4.TMP.5.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpu
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/angst-vor-einer-gleisw%c3%bcste-der-kanton-und-die
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/bis-zu-2000-kiffer-k%c3%b6nnen-sich-in-z%c3%bcrich
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/news/other/autofahrer-20-kommt-von-strasse-ab-und-prallt-gegen-baum/ar-AAO
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/news/other/bundesgericht-will-brian-nicht-aus-der-einzelhaft-entlassen/ar-
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/news/other/mann-greift-bei-impftram-einweihung-security-an-und-wird-festge
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/news/other/patrick-aebischer-ist-als-ehemaliger-pr%c3%a4sident-der-eth-lau
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/news/other/rega-bringt-schwer-verletzten-t%c3%b6fffahrer-ins-spital/ar-AAO
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/news/other/unglaublich-erleichtert-bev%c3%b6lkerung-wehrt-sich-erfolgreich
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrcher-apothekerinnen-werden-von-testwilligen-%c3%bcberra
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrcher-d%c3%bcrfen-f%c3%bcr-die-wissenschaft-bald-legal-k
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.skype.com/
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://www.skype.com/de
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://www.skype.com/de/download-skype
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
            Source: iab2Data[1].json.8.drString found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
            Source: iab2Data[1].json.8.drString found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
            Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
            Source: de-ch[1].htm.8.drString found in binary or memory: https://www.tippsundtricks.co/lifehacks/nadel-banane-trick/?utm_campaign=DECH-bananatrick&amp;utm_so
            Source: unknownDNS traffic detected: queries for: www.msn.com
            Source: global trafficHTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: geolocation.onetrust.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /px.gif?ch=1&e=0.4888902266943189 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1599143076228-3140.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: s.yimg.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fb4d84d7a-e7a0-4e71-a4e1-288b18f4b1a1_166a74d60a77edc1b295914db4bc79ac.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_433%2Cy_315/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F560ad3dcc869b1dfc2bac1c99d35ac81.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2F824258cd-2488-4e7c-b171-dad87f56f610_1000x600.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F7b4dbad0520957f16bd4e3f810f4c883.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_737%2Cy_504/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fe17134d780918219c201cb1db8da2d3f.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5ac3b539d1cfda83dbe324033737805f.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49762 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49761 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.3:49777 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.3:49776 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.3:49782 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.3:49783 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.3:49785 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.3:49784 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49811 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49810 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49815 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49814 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49813 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49812 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49816 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49817 version: TLS 1.2
            Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exeCode function: 33_2_00007FF6787A3C00 memset,memset,memset,GetKeyState,GetKeyState,SendMessageW,SendMessageW,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SetFocus,?GetDisplayNode@Element@DirectUI@@QEAAPEAUHGADGET__@@XZ,ForwardGadgetMessage,33_2_00007FF6787A3C00
            Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exeCode function: 33_2_00007FF67879AF2C GetCurrentProcessId,ProcessIdToSessionId,GetLocaleInfoEx,GetLastError,GetLocaleInfoEx,GetLastError,GetLocaleInfoEx,GetLastError,GetLocaleInfoEx,GetLastError,memset,GetKeyState,GetKeyState,GetKeyState,33_2_00007FF67879AF2C
            Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exeCode function: 33_2_00007FF67879B6D0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,RegGetValueW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,GetCurrentThreadId,GetCurrentThreadId,RegGetValueW,GetCurrentThreadId,RegSetValueExW,GetCurrentThreadId,RegCloseKey,33_2_00007FF67879B6D0
            Source: C:\Users\user\AppData\Local\zOAoLK\Taskmgr.exeCode function: 33_2_00007FF6787C9BE0 GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,OpenClipboard,GetLastError,GetCurrentThreadId,EmptyClipboard,GetCurrentThreadId,SetClipboardData,CloseClipboard,33_2_00007FF6787C9BE0

            E-Banking Fraud:

            barindex
            Yara detected Dridex unpacked fileShow sources
            Source: Yara matchFile source: 0000002B.00000002.479085760.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.235930456.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.448796911.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.246415321.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.228897543.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.270992989.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.259705303.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.365201686.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.263971738.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.225554693.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.338160858.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.404405311.0000000140001000.00000020.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Source: C:\Users\user\AppData\Local\UIPe\rstrui.exeCode function: 27_2_00007FF701091D40 NtShutdownSystem,InitiateShutdownW,27_2_00007FF701091D40
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400348703_2_0000000140034870
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014003B2203_2_000000014003B220
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400352703_2_0000000140035270
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000140048AC03_2_0000000140048AC0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014003A2E03_2_000000014003A2E0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014005C3403_2_000000014005C340
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000140065B803_2_0000000140065B80
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014006A4B03_2_000000014006A4B0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400524B03_2_00000001400524B0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000140026CC03_2_0000000140026CC0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014004BD403_2_000000014004BD40
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400495B03_2_00000001400495B0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000140036F303_2_0000000140036F30
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400690103_2_0000000140069010
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400010103_2_0000000140001010
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400660203_2_0000000140066020
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014002F8403_2_000000014002F840
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014005D8503_2_000000014005D850
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400640803_2_0000000140064080
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400108803_2_0000000140010880
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400688A03_2_00000001400688A0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014002D0D03_2_000000014002D0D0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400018D03_2_00000001400018D0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400161003_2_0000000140016100
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014001D1003_2_000000014001D100
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014002A1103_2_000000014002A110
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014001D9103_2_000000014001D910
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400151203_2_0000000140015120
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014000B1203_2_000000014000B120
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014004F9403_2_000000014004F940
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400391403_2_0000000140039140
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400231403_2_0000000140023140
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400579503_2_0000000140057950
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014001E1703_2_000000014001E170
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400029803_2_0000000140002980
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400611A03_2_00000001400611A0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400389A03_2_00000001400389A0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400381A03_2_00000001400381A0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014002E1B03_2_000000014002E1B0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014007C9D03_2_000000014007C9D0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400139D03_2_00000001400139D0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400319F03_2_00000001400319F0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014002EA003_2_000000014002EA00
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000140022A003_2_0000000140022A00
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000140067A403_2_0000000140067A40
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000140069A503_2_0000000140069A50
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000140007A603_2_0000000140007A60
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014003AAC03_2_000000014003AAC0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000140062B003_2_0000000140062B00
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400183003_2_0000000140018300
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014002FB203_2_000000014002FB20
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400313403_2_0000000140031340
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400223403_2_0000000140022340
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000140017B403_2_0000000140017B40
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014000BB403_2_000000014000BB40
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400793603_2_0000000140079360
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014004EB603_2_000000014004EB60
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400053703_2_0000000140005370
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014002CB803_2_000000014002CB80
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000014006B3903_2_000000014006B390
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000140054BA03_2_0000000140054BA0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000140033BB03_2_0000000140033BB0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400263C03_2_00000001400263C0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400123C03_2_00000001400123C0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000140063BD03_2_0000000140063BD0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001400663F03_2_00000001400663F0
            Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000140023BF03_2_0000000140023BF0
            Source: C:\Windows\System32\regsvr32.exe