Loading ...

Play interactive tourEdit tour

Windows Analysis Report 2W6FcgEeMy.dll

Overview

General Information

Sample Name:2W6FcgEeMy.dll
Analysis ID:526322
MD5:7dc420886e9c1a1e40e34d73ed2faf7c
SHA1:1cf57d47fab52815150a8236e985e7976aba4f75
SHA256:4e7f81fa970f3c2ffa70c22d10b2c81efbf7429594719be49b56a0b516503e4b
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Tries to load missing DLLs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Registers a DLL
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6196 cmdline: loaddll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 900 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 984 cmdline: rundll32.exe "C:\Users\user\Desktop\2W6FcgEeMy.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 6292 cmdline: regsvr32.exe /s C:\Users\user\Desktop\2W6FcgEeMy.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • iexplore.exe (PID: 6068 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 6528 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6068 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • rundll32.exe (PID: 6432 cmdline: rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3112 cmdline: rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,adqehmqaggtoqofda MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2944 cmdline: rundll32.exe C:\Users\user\Desktop\2W6FcgEeMy.dll,awkikcxxkllcr MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "v1wySnSj0/Qezkq1+zqVG7OQdnxYD8ELZYNPMCkM69BOSUxuoiK8V9jGPFM/rZ9NhfGzVodUM3YW0nB89rcH84RZYG8DLN6HQCkubhXRasaUA7K7h+3lZamvjyookCKgwBWzlu6vCX1eURNonlpROKDMQKBVqofzDshoxJHbAdjZcKqCfEt5vgt07jQB8OABEnd9fROXGjobZcsdaOkEjTvELBFteszn3jqJa1HvAPkpE5gs00qstYhkLp1L+MgFUoKXEL4WViIcGGNpbyyXZKBlebQs4TypEMrC0SUg0PsB7mmSQ4ESN3oL02+qpL14r8rTcWPMVTQH9/bLARbe3XOvj+AriFcBjSRm8ai2Vy0=", "c2_domain": ["microsoft.com/windowsdisabler", "https://technoshoper.com", "https://avolebukoneh.website", "http://technoshoper.com", "http://avolebukoneh.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1204664213.0000000001100000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000003.00000002.1204064655.00000000006F0000.00000040.00000010.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000002.00000003.1197864565.000000000531B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 37 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.loaddll32.exe.10f0000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              3.2.rundll32.exe.49194a0.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.2.regsvr32.exe.4fb94a0.3.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.2.regsvr32.exe.4fb94a0.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.2.rundll32.exe.710000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 13 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.loaddll32.exe.10f0000.0.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "v1wySnSj0/Qezkq1+zqVG7OQdnxYD8ELZYNPMCkM69BOSUxuoiK8V9jGPFM/rZ9NhfGzVodUM3YW0nB89rcH84RZYG8DLN6HQCkubhXRasaUA7K7h+3lZamvjyookCKgwBWzlu6vCX1eURNonlpROKDMQKBVqofzDshoxJHbAdjZcKqCfEt5vgt07jQB8OABEnd9fROXGjobZcsdaOkEjTvELBFteszn3jqJa1HvAPkpE5gs00qstYhkLp1L+MgFUoKXEL4WViIcGGNpbyyXZKBlebQs4TypEMrC0SUg0PsB7mmSQ4ESN3oL02+qpL14r8rTcWPMVTQH9/bLARbe3XOvj+AriFcBjSRm8ai2Vy0=", "c2_domain": ["microsoft.com/windowsdisabler", "https://technoshoper.com", "https://avolebukoneh.website", "http://technoshoper.com", "http://avolebukoneh.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Source: 3.2.rundll32.exe.6f0000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 0.2.loaddll32.exe.1100000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 2W6FcgEeMy.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.4:49820 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.4:49819 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.4:49828 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.4:49829 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.4:49827 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.4:49830 version: TLS 1.2
                      Source: 2W6FcgEeMy.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDA23D0 FindNextFileA,FindClose,FindFirstFileA,FindFirstFileA,FindNextFileA,SetFilePointer,CreateFileA,CloseHandle,ReadFile,CreateFileA,CreateFileA,SetFilePointer,GetLastError,SetFilePointer,GetLastError,ReadFile,ReadFile,CloseHandle,CreateFileA,FindNextFileA,0_2_6EDA23D0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EDA6F26 FindFirstFileExW,0_2_6EDA6F26
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6EDA23D0 FindNextFileA,FindClose,FindFirstFileA,FindFirstFileA,FindNextFileA,SetFilePointer,CreateFileA,CloseHandle,ReadFile,CreateFileA,CreateFileA,SetFilePointer,GetLastError,SetFilePointer,GetLastError,ReadFile,ReadFile,FindCloseChangeNotification,CreateFileA,FindNextFileA,2_2_6EDA23D0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6EDA6F26 FindFirstFileExW,2_2_6EDA6F26

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: technoshoper.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49926 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49928 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49929 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49929
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49928
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49927
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49926
                      Source: de-ch[1].htm.7.drString found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
                      Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xdde73afe,0x01d7dfa4</date><accdate>0xde063966,0x01d7dfa4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                      Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe095df9b,0x01d7dfa4</date><accdate>0xe0f078c7,0x01d7dfa4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                      Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe1af355a,0x01d7dfa4</date><accdate>0xe221a595,0x01d7dfa4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                      Source: de-ch[1].htm.7.drString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
                      Source: de-ch[1].htm.7.drString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
                      Source: rundll32.exe, 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmpString found in binary or memory: http://avolebukoneh.website
                      Source: rundll32.exe, 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmpString found in binary or memory: http://avolebukoneh.website/glik/.lwe.bmp08899
                      Source: loaddll32.exe, 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmpString found in binary or memory: http://avolebukoneh.website/glik/.lwe.bmp088991256473871MNTYA
                      Source: loaddll32.exe, 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmpString found in binary or memory: http://avolebukoneh.website/glik/.lwe.bmp088991256473871MNTYA%-
                      Source: loaddll32.exe, 00000000.00000002.1205938172.00000000013FE000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.1191440529.0000000000975000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: de-ch[1].htm.7.drString found in binary or memory: http://ogp.me/ns#
                      Source: de-ch[1].htm.7.drString found in binary or memory: http://ogp.me/ns/fb#
                      Source: loaddll32.exe, 00000000.00000002.1206124177.0000000001423000.00000004.00000020.sdmpString found in binary or memory: http://schema.org/Organization
                      Source: {EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
                      Source: imagestore.dat.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                      Source: loaddll32.exe, 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmpString found in binary or memory: http://technoshoper.com
                      Source: msapplication.xml.5.drString found in binary or memory: http://www.amazon.com/
                      Source: msapplication.xml1.5.drString found in binary or memory: http://www.google.com/
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
                      Source: msapplication.xml2.5.drString found in binary or memory: http://www.live.com/
                      Source: msapplication.xml3.5.drString found in binary or memory: http://www.nytimes.com/
                      Source: msapplication.xml4.5.drString found in binary or memory: http://www.reddit.com/
                      Source: msapplication.xml5.5.drString found in binary or memory: http://www.twitter.com/
                      Source: msapplication.xml6.5.drString found in binary or memory: http://www.wikipedia.com/
                      Source: msapplication.xml7.5.drString found in binary or memory: http://www.youtube.com/
                      Source: loaddll32.exe, 00000000.00000003.1189532035.0000000001421000.00000004.00000001.sdmpString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
                      Source: loaddll32.exe, 00000000.00000003.1189379909.0000000001435000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.1191310809.00000000009E6000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/MicrosoftEdgeDownload&quot;
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://amzn.to/2TTxhNg
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
                      Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.drString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/oneTrust/1.2/consent/55a804ab-e5c6-4b97-9319-86263d36
                      Source: loaddll32.exe, 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmpString found in binary or memory: https://avolebukoneh.website
                      Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
                      Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_promotionalstripe_na
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://client-s.gateway.messenger.live.com
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=195119&amp;a=3064090&amp;g=25021476
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24545562
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&amp;a=3064090&amp;g=24886692
                      Source: {EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
                      Source: {EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                      Source: {EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                      Source: iab2Data[2].json.7.drString found in binary or memory: https://doceree.com/.well-known/deviceStorage.json
                      Source: iab2Data[2].json.7.drString found in binary or memory: https://doceree.com/us-privacy-policy/
                      Source: iab2Data[2].json.7.drString found in binary or memory: https://evorra.com/product-privacy-policy/
                      Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
                      Source: rundll32.exe, 00000003.00000003.1191310809.00000000009E6000.00000004.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax&quot;
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1637587646&amp;rver=7.0.6730.0&am
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://login.live.com/logout.srf?ct=1637587647&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1637587646&amp;rver=7.0.6730.0&amp;w
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
                      Source: iab2Data[2].json.7.drString found in binary or memory: https://nextmillennium.io/privacy-policy/
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com/#qt=mru
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com/about/en/download/
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com;Fotos
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com;OneDrive-App
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
                      Source: iab2Data[2].json.7.drString found in binary or memory: https://optimise-it.de/datenschutz
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://outlook.com/
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://outlook.live.com/calendar
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
                      Source: {EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://secure.adnxs.com/clktrb?id=764680&amp;t=1
                      Source: iab2Data[2].json.7.drString found in binary or memory: https://silvermob.com/privacy
                      Source: iab2Data[2].json.7.drString found in binary or memory: https://smartyads.com/privacy-policy
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-shoppingstripe-nav
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
                      Source: imagestore.dat.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAQYSTg.img?h=368&amp;
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&amp;
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
                      Source: loaddll32.exe, 00000000.00000003.1189532035.0000000001421000.00000004.00000001.sdmpString found in binary or memory: https://statics-marketingsites-eus-ms-com.akamaized.net/statics/override.css
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://support.skype.com
                      Source: loaddll32.exe, 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmpString found in binary or memory: https://technoshoper.com
                      Source: loaddll32.exe, 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmpString found in binary or memory: https://technoshoper.comhttps://avolebukoneh.websitehttp://technoshoper.comhttp://avolebukoneh.websi
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?&quot;
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://twitter.com/
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://twitter.com/i/notifications;Ich
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
                      Source: iab2Data[2].json.7.drString found in binary or memory: https://www.bidstack.com/privacy-policy/
                      Source: iab2Data[2].json.7.drString found in binary or memory: https://www.botman.ninja/privacy-policy
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.ebay.ch/?mkcid=1&amp;mkrid=5222-53480-19255-0&amp;siteid=193&amp;campid=5338626668&amp;t
                      Source: imagestore.dat.7.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
                      Source: imagestore.dat.7.drString found in binary or memory: https://www.google.com/favicon.ico
                      Source: imagestore.dat.7.drString found in binary or memory: https://www.google.com/favicon.ico~
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/
                      Source: {EBFDF004-4B97-11EC-90EB-ECF4BBEA1588}.dat.5.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/bei-den-%c3%a4rzten-schauen-die-beh%c3%b6rden-einfach-weg/ar-AA
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/brand-an-der-langstrasse/ar-AAQXL4f?ocid=hplocalnews
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/defektes-paket-mit-radioaktivem-inhalt-in-swiss-flieger-entdeck
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/jacqueline-hofer-tritt-doch-nicht-zur-wiederwahl-an/ar-AAQTAnf?
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/mehrere-tausend-menschen-demonstrieren-in-z%c3%bcrich/ar-AAQWtO
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/sie-bew%c3%a4ltigen-alltagsstress-und-todesszenen/ar-AAQUall?oc
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/t%c3%b6fffahrer-liefert-sich-wilde-verfolgungsjagd-mit-der-poli
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/t%c3%b6fffahrer-st%c3%bcrzt-nach-verfolgungsjagd-mit-der-polize
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/sport/fussball/der-fcz-zittert-und-steht-doch-ganz-oben/ar-AAQWrxt?ocid=hp
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/sport/other/runter-rauf-runter-wie-gc-in-genf-vom-weg-abkommt/ar-AAQYdQe?o
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
                      Source: iab2Data[2].json.7.drString found in binary or memory: https://www.onlineumfragen.com/3index_2010_agb.cfm
                      Source: iab2Data[2].json.7.drString found in binary or memory: https://www.queryclick.com/privacy-policy
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.skype.com/
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.skype.com/de
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.skype.com/de/download-skype
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
                      Source: iab2Data[2].json.7.drString found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
                      Source: iab2Data[2].json.7.drString found in binary or memory: https://www.stroeer.de/ssp-datenschutz
                      Source: iab2Data[2].json.7.drString found in binary or memory: https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c
                      Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.tippsundtricks.co/gesundheit/finger-persoenlichkeit/?utm_campaign=DECH-Finger&amp;utm_so
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.tippsundtricks.co/gesundheit/knoblauchzehe-unters-kopfkissen/?utm_campaign=DECH-Knoblauc
                      Source: de-ch[1].htm.7.drString found in binary or memory: https://www.tippsundtricks.co/lifehacks/schwamm-kuhlschrank/?utm_campaign=DECH-schwamm&amp;utm_sourc
                      Source: unknownDNS traffic detected: queries for: www.msn.com
                      Source: global trafficHTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /px.gif?ch=1&e=0.5207611127885279 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
                      Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.4:49820 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.4:49819 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.4:49828 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.4:49829 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 216.58.215.230:443 -> 192.168.2.4:49827 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.4:49830 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000002.00000003.1197864565.000000000531B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191135621.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1207204484.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1174643571.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1174822203.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191409157.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1174672667.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1174877788.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1188941851.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191287733.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191167902.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1189311900.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191103742.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1174724933.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191264405.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1189232893.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191197340.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1188897799.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1174847210.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1189190747.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1174861431.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1189102105.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191219624.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1188997373.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1175009445.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1189042017.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6196, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 984, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49194a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.4fb94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.4fb94a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.710000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49194a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.2fa0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.19794a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.19794a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.2f90000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.2fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1340000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.2fa0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1100000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1100000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1204664213.0000000001100000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1204064655.00000000006F0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1206945247.0000000004919000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1208151025.0000000004FB9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1206904709.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1204058262.00000000006E0000.00000004.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1204595185.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1206985280.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1206433585.0000000001979000.00000004.00000040.sdmp, type: MEMORY
                      Source: loaddll32.exe, 00000000.00000002.1205256384.000000000136B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000002.00000003.1197864565.000000000531B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1174702628.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191239094.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191135621.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1207204484.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1189899566.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1174643571.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1174822203.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191409157.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1174672667.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1174877788.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1188941851.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191287733.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191167902.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1189311900.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191103742.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1206556297.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1174724933.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191264405.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1189232893.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191197340.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1188897799.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1174847210.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1189190747.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1174861431.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1189102105.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1191219624.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1188997373.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.1175009445.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1189042017.0000000002258000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6196, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 984, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49194a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.4fb94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.4fb94a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.710000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49194a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.2fa0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.19794a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.19794a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.2f90000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.2fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1340000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.2fa0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1100000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1100000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1204664213.0000000001100000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1204064655.00000000006F0000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1206945247.0000000004919000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1208151025.0000000004FB9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1206904709.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1204058262.00000000006E0000.00000004.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1204595185.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1206985280.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1206433585.0000000001979000.00000004.00000040.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinary