Windows Analysis Report c9.dll

AV Detection:

Found malware configuration

Source: 00000006.00000003.386491469.0000000004530000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "sNCxDve8MsvqadlVNqvrqkrM1BxogjVDx1pm1sFsq4WSz4qQxcJltY8VfWo8VsoI23mmMdPi/UOBDHcesqv0uSg2A2wl6c7JgyFwuaQwy2G9JJPqbTWDud8pc5Fsai3ORlGbJXlqq6BhxmpAbEG4ENYLo4G5cYGPJwt8Un0NiZjp+ebvWtxOiBxUdWz4B4Wb", "c2_domain": ["api10.laptok.at/api1", "golang.feel500.at/api1", "go.in100k.at/api1"], "botnet": "3300", "server": "730", "serpent_key": "xQzYv150PXgru2nT", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Antivirus / Scanner detection for submitted sample

Source: c9.dll

Avira: detected

Compliance:

Uses 32bit PE files

Source: c9.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.226:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.226:443 -> 192.168.2.5:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.127.209.187:443 -> 192.168.2.5:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.127.209.187:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.174.68:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.174.68:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 76.223.111.131:443 -> 192.168.2.5:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 76.223.111.131:443 -> 192.168.2.5:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.29.132.241:443 -> 192.168.2.5:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.29.132.241:443 -> 192.168.2.5:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.5:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.184.201.8:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.184.201.8:443 -> 192.168.2.5:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.38:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.38:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49844 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: c:\IdeaGave\commontrade\RaceBall\Dropmany\Paragraphequate\tiny.pdbp6(b source: loaddll32.exe, 00000001.00000002.794189213.0000000073221000.00000002.00020000.sdmp, c9.dll
Source:	Binary string: c:\IdeaGave\commontrade\RaceBall\Dropmany\Paragraphequate\tiny.pdb source: loaddll32.exe, 00000001.00000002.794189213.0000000073221000.00000002.00020000.sdmp, c9.dll

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02FA7DD8 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		4_2_02FA7DD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04E47DD8 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		6_2_04E47DD8

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49911 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49911 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49924 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49942 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49942 -> 87.106.18.141:80

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.26.3.70 104.26.3.70

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Found strings which match to known social media urls

Source: de-ch[1].htm.7.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xf4cb4881,0x01d7bbd1</date><accdate>0xf4cb4881,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xf4cb4881,0x01d7bbd1</date><accdate>0xf4cb4881,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xf4d26f81,0x01d7bbd1</date><accdate>0xf4d26f81,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xf4d26f81,0x01d7bbd1</date><accdate>0xf4d26f81,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xf4d26f81,0x01d7bbd1</date><accdate>0xf4d26f81,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.5.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xf4d26f81,0x01d7bbd1</date><accdate>0xf4d26f81,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.7.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.7.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

URLs found in memory or binary data

Source: loaddll32.exe, 00000001.00000002.791222422.0000000001140000.00000002.00020000.sdmp	String found in binary or memory: http://api10.laptok.at/api1/cjCx3CFNwvfHfzzFXMAZfSp/akD8HpiwLw/Xmf8SltrkZwIskxdD/LQq0Dq4H6kbK/n
Source: {533A88BC-27C5-11EC-90E5-ECF4BB570DC9}.dat.5.dr	String found in binary or memory: http://api10.laptok.at/api1/cjCx3CFNwvfHfzzFXMAZfSp/akD8HpiwLw/Xmf8SltrkZwIskxdD/LQq0Dq4H6kbK/nehUVb
Source: {4A968DB9-27C5-11EC-90E5-ECF4BB570DC9}.dat.5.dr	String found in binary or memory: http://api10.laptok.at/api1/ksE8rF5AGsnlH/fbLwQ3Lg/XhcZ8P1h_2Bo0_2BrjHAua5/e46Fw12wZ1/j1YBnIEVwMT0HV
Source: loaddll32.exe, 00000001.00000002.791222422.0000000001140000.00000002.00020000.sdmp	String found in binary or memory: http://api10.laptok.at/api1/vcA0O3WPGnQgQOgmZF/_2FEMTJNH/erT8pAgL94iyg0QnSDs4/tF67e4iCqPFCwhTcy
Source: {5B5838B5-27C5-11EC-90E5-ECF4BB570DC9}.dat.5.dr, ~DF1706887F6FAE5535.TMP.5.dr	String found in binary or memory: http://api10.laptok.at/api1/vcA0O3WPGnQgQOgmZF/_2FEMTJNH/erT8pAgL94iyg0QnSDs4/tF67e4iCqPFCwhTcyrL/52
Source: de-ch[1].htm.7.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.7.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[2].htm.7.dr	String found in binary or memory: http://popup.taboola.com/german
Source: {14D0D766-27C5-11EC-90E5-ECF4BB570DC9}.dat.5.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.5.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.5.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.5.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.5.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.5.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.5.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.5.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.5.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[2].htm.7.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: {14D0D766-27C5-11EC-90E5-ECF4BB570DC9}.dat.5.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {14D0D766-27C5-11EC-90E5-ECF4BB570DC9}.dat.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {14D0D766-27C5-11EC-90E5-ECF4BB570DC9}.dat.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: {14D0D766-27C5-11EC-90E5-ECF4BB570DC9}.dat.5.dr	String found in binary or memory: https://contextualtag.media.net
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[2].htm.7.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633616402&rver
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1633616402&rver=7.0.6730.0&am
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1633616403&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1633616402&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: {14D0D766-27C5-11EC-90E5-ECF4BB570DC9}.dat.5.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://secure.adnxs.com/clktrb?id=762232
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAPaLRV.img?h=368&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: iab2Data[1].json.7.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {14D0D766-27C5-11EC-90E5-ECF4BB570DC9}.dat.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/finanzen/nachrichten/schweizer-arbeitsmarkt-auf-dem-weg-zum-vorkrisennivea
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/schweiz/bund-registriert-erneut-weniger-neue-corona-ansteckung
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/apps-bieten-nur-oberfl%c3%a4chlichen-zugang-zum-gegen%c3%bcber/
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/auto-nach-unfall-mit-milit%c3%a4rblachen-abgedeckt/ar-AALgoO8?o
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-araberinnen-und-araber-kehren-zur%c3%bcck/ar-AAPbaLO?ocid=h
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/gericht-verurteilt-mehrfachen-raser-zu-30-monaten-freiheitsstra
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/mann-54-wird-von-wurzelstock-getroffen-und-kommt-ums-leben/ar-A
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/schulleitung-warnt-eltern-vor-lebensbedrohlichem-ohnmacht-spiel
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/spezialisten-suchen-mit-sonarsonde-in-200-metern-tiefe-nach-ver
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/was-passierte-nur-drei-minuten-nach-dem-start/ar-AAP7LCM?ocid=h
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.7.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.7.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.7.dr	String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.7.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.msn.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: geolocation.onetrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pixel?cs=1&google_nid=media&google_cm=1&google_hm=Mjc2NjE4MDA5NjY4NDE3MzAwMFYxMA%3D%3D&google_sc=1 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=69&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cm.g.doubleclick.netConnection: Keep-AliveCookie: IDE=AHWqTUkh5fOLAUMX20ZV8xqf__2tu45ymTec8GQqE60qWk9cSV6VA3zk_7PBuUk4
Source: global traffic	HTTP traffic detected: GET /sync?ssp=medianet&gdpr=0&gdpr_consent=&gdpr_pd=1 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=69&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: x.bidswitch.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /710489.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=69&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: id.rlcdn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ul_cb/sync?ssp=medianet&gdpr=0&gdpr_consent=&gdpr_pd=1 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=69&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: x.bidswitch.netConnection: Keep-AliveCookie: tuuid=e3c6ab64-6227-451b-a0eb-80821c5205b0; c=1633616410; tuuid_lu=1633616410
Source: global traffic	HTTP traffic detected: GET /track/cmf/generic?ttd_pid=8m33zk4&ttd_tpi=1 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=69&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: match.adsrvr.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /track/cmb/generic?ttd_pid=8m33zk4&ttd_tpi=1 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=69&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: match.adsrvr.orgConnection: Keep-AliveCookie: TDID=b8ee5114-8694-4079-a979-819224d901d9; TDCPM=CAEYBSgCMgsIsMry3InqhDoQBTgB
Source: global traffic	HTTP traffic detected: GET /sync/img?mt_exid=46&redir=%2F%2Fx.bidswitch.net%2Fsync%3Fdsp_id%3D80%26user_id%3D%5BUUID%5D%26expires%3D30%26ssp%3Dmedianet%26bsw_param%3De3c6ab64-6227-451b-a0eb-80821c5205b0&gdpr=0&gdpr_consent= HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=69&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: sync.mathtag.com
Source: global traffic	HTTP traffic detected: GET /sync?dsp_id=80&user_id=7e4f615f-021c-4400-97d1-71d777cb5972&expires=30&ssp=medianet&bsw_param=e3c6ab64-6227-451b-a0eb-80821c5205b0&gdpr=0&gdpr_consent= HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=69&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: x.bidswitch.netCookie: tuuid=e3c6ab64-6227-451b-a0eb-80821c5205b0; c=1633616410; tuuid_lu=1633616411
Source: global traffic	HTTP traffic detected: GET /ups/58222/sync?_origin=1&uid=2766180096684126000V10 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=69&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: ups.analytics.yahoo.com
Source: global traffic	HTTP traffic detected: GET /ups/58222/sync?_origin=1&uid=2766180096684126000V10&verify=true HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=69&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: ups.analytics.yahoo.comCookie: A3=d=AQABBBwCX2ECEPuVj2RlU4od0aG8sPO8M2EFEgEBAQFTYGFoYQAAAAAA_eMAAA&S=AQAAAouTZ_8WaBi0hZfRZ-z61xY; B=62ctsudglu0gs&b=3&s=uo
Source: global traffic	HTTP traffic detected: GET /ups/58222/sync?_origin=1&uid=2766180096684126000V10 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=69&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: pixel.advertising.com
Source: global traffic	HTTP traffic detected: GET /ups/58222/sync?_origin=1&uid=2766180096684126000V10&verify=true HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=69&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: pixel.advertising.comCookie: APID=UPaf4281b3-2779-11ec-a664-02db7f727538
Source: global traffic	HTTP traffic detected: GET /ups/58222/sync?_origin=1&uid=2766180096684126000V10&apid=UPaf4281b3-2779-11ec-a664-02db7f727538 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=69&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: ups.analytics.yahoo.comCookie: A3=d=AQABBBwCX2ECEPuVj2RlU4od0aG8sPO8M2EFEgEBAQFTYGFoYQAAAAAA_eMAAAcIHAJfYfO8M2E&S=AQAAAq9EDu4ZC-eONZDFuqmxOcc; B=62ctsudglu0gs&b=3&s=uo; IDSYNC=18xa~20tq
Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-AliveCookie: IDE=AHWqTUmHOxlMoxj0Pnqfm3OGPHOK5PB_3CT4Qubkpi3xpdeiBinOowt7h4y8MxfC1z8
Source: global traffic	HTTP traffic detected: GET /px.gif?ch=1&e=0.7922055029919313 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F229da042318840c2bedb0d7d4a629da7.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F06ad29ca279ef6d1a1d51484867ed930.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F42912d3264942cf3a1683ef85b453901.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fe3c5e00c-8d4e-4ffb-9b76-5a7c81cdd776%2F77745de3383e60a935ce533068c740ef_1000x600_e4825edea4eb82408ffb2966288c972c.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fprezna.com%2Fget%2FXX2-4159422330900454935.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboolasyndication.com%2Flibtrc%2Fstatic%2Fthumbnails%2F89b2a2c406225ac19893953e2f531377.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/ksE8rF5AGsnlH/fbLwQ3Lg/XhcZ8P1h_2Bo0_2BrjHAua5/e46Fw12wZ1/j1YBnIEVwMT0HVp4T/_2FSBVel_2BD/Mtuel1zuDld/8eZOKx2Uzqu7_2/B_2BIcRwCeM2BicM_2BIQ/dnUyI3L91KPOSGJF/REFJoC3NQRoXeRu/EUZgiBW5ykWpIixdja/XweS77_2F/YWVjXghErokmvPqxa1Ga/uF4H7dLvfoa5oaEuK7a/9t8Dhet7EJ2ycRjwV5Nh_2/FAcOKR5tjq4Mj/G592BKqi/FiGVSjGAGKhk57Y2OuTtOf7/wQ8JLEs_2B/SWOdJq12ovpP6_2Fy/QhV2Hdk6yUx_/2FiSux_2F/gXZMkf HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/cjCx3CFNwvfHfzzFXMAZfSp/akD8HpiwLw/Xmf8SltrkZwIskxdD/LQq0Dq4H6kbK/nehUVbDEZih/YkDTsvTp3bYb8i/Kr6QeLqvadIsIs9pFukgL/OMDZLo4EFNLTVlQB/mKd2X3KJYAV3yVi/tdKjp4kt4yuYorXyBG/KNEUm6r2X/1LVNKB3ak_2Bz2y79hi5/ldIw1qOdPKTHg5FPpv_/2FZlNGmh0NUuq8aAo8LNJZ/wnXLcICktJOE5/BE2w0kMW/QOYuG2fkU6GX4EAYMrqGuqg/isDTO90LCo/1CJYfHJHGn0nJOZZW/Ng_2B8t HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/cjCx3CFNwvfHfzzFXMAZfSp/akD8HpiwLw/Xmf8SltrkZwIskxdD/LQq0Dq4H6kbK/nehUVbDEZih/YkDTsvTp3bYb8i/Kr6QeLqvadIsIs9pFukgL/OMDZLo4EFNLTVlQB/mKd2X3KJYAV3yVi/tdKjp4kt4yuYorXyBG/KNEUm6r2X/1LVNKB3ak_2Bz2y79hi5/ldIw1qOdPKTHg5FPpv_/2FZlNGmh0NUukUFKfkxwRB/hAGRbgGMkRs0W/Sja4JDzR/Typ_2FEqqGLQtFoEBaUfObX/k5DqE7Fqcl/ITzT4jdSj7c8BXUAG/ZqSRTC99eEQu/fB3yRofhVGR/HGnlb HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/vcA0O3WPGnQgQOgmZF/_2FEMTJNH/erT8pAgL94iyg0QnSDs4/tF67e4iCqPFCwhTcyrL/52_2B_2BcPsTzSbd1llCdD/ZkNNF2cncA9XY/3_2BIi6C/H91C6tOMyng3uLUQeGWT6J6/j_2BQqOmyJ/sgWrxLykMWFajBZ62/tiwu_2Bleg5Y/3ODf0koCu30/inb_2Bah3KNq1n/fEvEAIuh_2FgMWpEfxDKP/e5bzrfbMyOWi_2Br/qr4SjrC797UY1dW/_2FynXROO34PZ3JC62/akz42HCrt/_2B8jaBnhM_2F2ymPrmX/yps30gw8ZnZS8JvDVQW/WFIuNMub/F HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.226:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.215.226:443 -> 192.168.2.5:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.127.209.187:443 -> 192.168.2.5:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.127.209.187:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.174.68:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.174.68:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 76.223.111.131:443 -> 192.168.2.5:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 76.223.111.131:443 -> 192.168.2.5:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.29.132.241:443 -> 192.168.2.5:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.29.132.241:443 -> 192.168.2.5:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.5:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.184.201.8:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.184.201.8:443 -> 192.168.2.5:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.38:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.38:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49844 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000002.523734739.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488044357.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522077972.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.521984105.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494076089.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.496166737.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455802504.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455706201.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455826385.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522163462.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494104508.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455734342.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494162883.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488134798.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.487996782.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.463365965.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.793692440.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.521952252.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494126017.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455848198.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.493921377.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455863504.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488104273.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522107522.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488074822.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522139753.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.493983167.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455758627.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494183251.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488158475.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488197263.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522176306.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494038831.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.487961993.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455887821.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522017997.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1576, type: MEMORYSTR
Source: Yara match	File source: 1.2.loaddll32.exe.73200000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.452a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.88a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.28c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.88a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.452a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4a294a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2f9a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4e294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.28c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.4d6a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.453a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.rundll32.exe.302a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4a294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.rundll32.exe.302a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.4ab94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.4d6a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.453a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4e294a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.4ab94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.2bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2f9a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.494661342.0000000004A29000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522487862.0000000004AB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.386491469.0000000004530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.378158897.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.462278970.0000000004E29000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395591048.0000000004D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.791857039.00000000028C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.376653737.0000000004520000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.399484771.0000000003020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.400880325.0000000000880000.00000040.00000001.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000002.523734739.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488044357.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522077972.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.521984105.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494076089.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.496166737.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455802504.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455706201.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455826385.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522163462.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494104508.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455734342.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494162883.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488134798.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.487996782.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.463365965.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.793692440.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.521952252.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494126017.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455848198.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.493921377.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455863504.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488104273.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522107522.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488074822.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522139753.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.493983167.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455758627.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494183251.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488158475.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488197263.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522176306.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494038831.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.487961993.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455887821.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522017997.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1576, type: MEMORYSTR
Source: Yara match	File source: 1.2.loaddll32.exe.73200000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.452a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.88a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.28c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.88a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.452a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4a294a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2f9a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4e294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.28c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.4d6a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.453a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.rundll32.exe.302a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4a294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.rundll32.exe.302a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.4ab94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.4d6a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.453a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4e294a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.4ab94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.2bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2f9a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.494661342.0000000004A29000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522487862.0000000004AB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.386491469.0000000004530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.378158897.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.462278970.0000000004E29000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395591048.0000000004D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.791857039.00000000028C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.376653737.0000000004520000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.399484771.0000000003020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.400880325.0000000000880000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: c9.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_732021A4		1_2_732021A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_7322037C		1_2_7322037C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_7321E9DF		1_2_7321E9DF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_7321EF23		1_2_7321EF23
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_7321E49B		1_2_7321E49B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02FA40B3		4_2_02FA40B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02FAAF44		4_2_02FAAF44
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04E440B3		6_2_04E440B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04E4AF44		6_2_04E4AF44

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_73201C22 GetProcAddress,NtCreateSection,memset,		1_2_73201C22
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_73201AD1 NtMapViewOfSection,		1_2_73201AD1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_73201252 GetLastError,NtClose,		1_2_73201252
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_732023C5 NtQueryVirtualMemory,		1_2_732023C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02FA7925 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		4_2_02FA7925
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02FAB169 NtQueryVirtualMemory,		4_2_02FAB169
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04E47925 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		6_2_04E47925
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04E4B169 NtQueryVirtualMemory,		6_2_04E4B169

PE file contains executable resources (Code or Archives)

Source: c9.dll

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Tries to load missing DLLs

Source: C:\Windows\System32\loaddll32.exe	Section loaded: lz32.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mspdb140.dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: lz32.dll			Jump to behavior

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: c9.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

PE file has an executable .text section and no other executable section

Source: c9.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\c9.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c9.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\c9.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c9.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c9.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c9.dll,Voicetest
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c9.dll,Writtendesign
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:82962 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:82970 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17424 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17436 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c9.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\c9.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c9.dll,DllRegisterServer			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c9.dll,Voicetest			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c9.dll,Writtendesign			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c9.dll',#1			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17410 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:82962 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:82970 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17424 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17436 /prefetch:2			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{14D0D764-27C5-11EC-90E5-ECF4BB570DC9}.dat

Jump to behavior

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFBF2D4F8BE8DD019D.TMP

Jump to behavior

Classification label

Source: classification engine

Classification label: mal88.troj.winDLL@25/140@24/13

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to enum processes or threads

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_02FA229C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_02FA229C

Runs a DLL by calling functions

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c9.dll',#1

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

PE file contains a mix of data directories often seen in goodware

Source: c9.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: c9.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: c9.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: c9.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: c9.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: c9.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

PE file contains a debug data directory

Source: c9.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: c:\IdeaGave\commontrade\RaceBall\Dropmany\Paragraphequate\tiny.pdbp6(b source: loaddll32.exe, 00000001.00000002.794189213.0000000073221000.00000002.00020000.sdmp, c9.dll
Source:	Binary string: c:\IdeaGave\commontrade\RaceBall\Dropmany\Paragraphequate\tiny.pdb source: loaddll32.exe, 00000001.00000002.794189213.0000000073221000.00000002.00020000.sdmp, c9.dll

PE file contains a valid data directory to section mapping

Source: c9.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: c9.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: c9.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: c9.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: c9.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_73202193 push ecx; ret		1_2_732021A3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_73202140 push ecx; ret		1_2_73202149
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_73212369 push 00000009h; iretd		1_2_73212368
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_73217B6D push 0000002Eh; iretd		1_2_73217B72
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_7321235D push 00000009h; iretd		1_2_73212368
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_7321629C push es; iretd		1_2_732162A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_73218114 push esp; ret		1_2_7321811E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_73216942 push esi; retf		1_2_7321696D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_73211F06 push ss; retf		1_2_73211F7F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_73210796 push ecx; retf		1_2_7321092A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_73215669 pushad ; retf		1_2_7321566A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_73216D08 pushfd ; retf		1_2_73216D10
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_73210D61 push FFFFFFC3h; ret		1_2_73210D78
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_73210408 push ebp; ret		1_2_73210415
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_7322BE79 push ebp; iretd		1_2_7322BE7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02FAE6BE push esp; retf		4_2_02FAE6BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02FAAC00 push ecx; ret		4_2_02FAAC09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02FAE1AF push ebx; ret		4_2_02FAE1B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02FAE163 push edx; iretd		4_2_02FAE164
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02FAAF33 push ecx; ret		4_2_02FAAF43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04E4E6BE push esp; retf		6_2_04E4E6BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04E4AC00 push ecx; ret		6_2_04E4AC09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04E4E1AF push ebx; ret		6_2_04E4E1B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04E4E163 push edx; iretd		6_2_04E4E164
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04E4AF33 push ecx; ret		6_2_04E4AF43

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\c9.dll

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.02169145494

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000002.523734739.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488044357.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522077972.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.521984105.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494076089.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.496166737.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455802504.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455706201.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455826385.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522163462.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494104508.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455734342.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494162883.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488134798.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.487996782.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.463365965.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.793692440.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.521952252.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494126017.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455848198.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.493921377.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455863504.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488104273.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522107522.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488074822.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522139753.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.493983167.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455758627.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494183251.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488158475.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488197263.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522176306.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494038831.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.487961993.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455887821.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522017997.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1576, type: MEMORYSTR
Source: Yara match	File source: 1.2.loaddll32.exe.73200000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.452a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.88a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.28c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.88a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.452a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4a294a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2f9a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4e294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.28c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.4d6a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.453a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.rundll32.exe.302a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4a294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.rundll32.exe.302a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.4ab94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.4d6a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.453a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4e294a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.4ab94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.2bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2f9a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.494661342.0000000004A29000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522487862.0000000004AB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.386491469.0000000004530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.378158897.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.462278970.0000000004E29000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395591048.0000000004D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.791857039.00000000028C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.376653737.0000000004520000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.399484771.0000000003020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.400880325.0000000000880000.00000040.00000001.sdmp, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6956	Thread sleep count: 33 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6956	Thread sleep count: 33 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6956	Thread sleep count: 33 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6956	Thread sleep count: 37 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6956	Thread sleep count: 43 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6956	Thread sleep count: 34 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6956	Thread sleep count: 46 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6956	Thread sleep count: 35 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6956	Thread sleep count: 54 > 30			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_7322C35E rdtsc

1_2_7322C35E

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02FA7DD8 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		4_2_02FA7DD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04E47DD8 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		6_2_04E47DD8

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_7322C35E rdtsc

1_2_7322C35E

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_732296E0 mov eax, dword ptr fs:[00000030h]		1_2_732296E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_73229616 mov eax, dword ptr fs:[00000030h]		1_2_73229616
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_7322921D push dword ptr fs:[00000030h]		1_2_7322921D

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c9.dll',#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000001.00000002.791222422.0000000001140000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.791222422.0000000001140000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.791222422.0000000001140000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000001.00000002.791222422.0000000001140000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000001.00000002.791222422.0000000001140000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

1_2_73201B13

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_02FA8B98 cpuid

4_2_02FA8B98

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_73201DBD GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

1_2_73201DBD

Contains functionality to query windows version

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_7320166F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_7320166F

Contains functionality to query the account / user name

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_02FA8B98 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

4_2_02FA8B98

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000002.523734739.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488044357.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522077972.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.521984105.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494076089.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.496166737.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455802504.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455706201.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455826385.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522163462.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494104508.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455734342.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494162883.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488134798.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.487996782.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.463365965.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.793692440.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.521952252.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494126017.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455848198.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.493921377.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455863504.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488104273.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522107522.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488074822.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522139753.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.493983167.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455758627.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494183251.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488158475.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488197263.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522176306.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494038831.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.487961993.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455887821.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522017997.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1576, type: MEMORYSTR
Source: Yara match	File source: 1.2.loaddll32.exe.73200000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.452a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.88a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.28c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.88a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.452a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4a294a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2f9a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4e294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.28c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.4d6a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.453a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.rundll32.exe.302a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4a294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.rundll32.exe.302a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.4ab94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.4d6a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.453a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4e294a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.4ab94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.2bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2f9a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.494661342.0000000004A29000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522487862.0000000004AB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.386491469.0000000004530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.378158897.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.462278970.0000000004E29000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395591048.0000000004D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.791857039.00000000028C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.376653737.0000000004520000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.399484771.0000000003020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.400880325.0000000000880000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000002.523734739.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488044357.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522077972.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.521984105.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494076089.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.496166737.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455802504.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455706201.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455826385.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522163462.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494104508.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455734342.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494162883.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488134798.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.487996782.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.463365965.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.793692440.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.521952252.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494126017.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455848198.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.493921377.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455863504.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488104273.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522107522.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488074822.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522139753.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.493983167.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455758627.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494183251.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488158475.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488197263.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522176306.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.494038831.0000000003318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.487961993.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455887821.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522017997.0000000005328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1576, type: MEMORYSTR
Source: Yara match	File source: 1.2.loaddll32.exe.73200000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.452a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.88a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.28c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.88a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.452a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4a294a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2f9a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4e294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.28c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.4d6a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.453a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.rundll32.exe.302a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4a294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.rundll32.exe.302a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.4ab94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.4d6a253.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.453a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4e294a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.4ab94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.2bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2f9a253.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.494661342.0000000004A29000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.522487862.0000000004AB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.386491469.0000000004530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.378158897.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.462278970.0000000004E29000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395591048.0000000004D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.791857039.00000000028C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.376653737.0000000004520000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.399484771.0000000003020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.400880325.0000000000880000.00000040.00000001.sdmp, type: MEMORY