{"RSA Public Key": "v1wySnSj0/Qezkq1+zqVG7OQdnxYD8ELZYNPMCkM69BOSUxuoiK8V9jGPFM/rZ9NhfGzVodUM3YW0nB89rcH84RZYG8DLN6HQCkubhXRasaUA7K7h+3lZamvjyookCKgwBWzlu6vCX1eURNonlpROKDMQKBVqofzDshoxJHbAdjZcKqCfEt5vgt07jQB8OABEnd9fROXGjobZcsdaOkEjTvELBFteszn3jqJa1HvAPkpE5gs00qstYhkLp1L+MgFUoKXEL4WViIcGGNpbyyXZKBlebQs4TypEMrC0SUg0PsB7mmSQ4ESN3oL02+qpL14r8rTcWPMVTQH9/bLARbe3XOvj+AriFcBjSRm8ai2Vy0=", "c2_domain": ["microsoft.com/windowsdisabler", "https://technoshoper.com", "https://avolebukoneh.website", "http://technoshoper.com", "http://avolebukoneh.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Source: 4.2.rundll32.exe.50494a0.3.raw.unpack | Malware Configuration Extractor: Ursnif {"RSA Public Key": "v1wySnSj0/Qezkq1+zqVG7OQdnxYD8ELZYNPMCkM69BOSUxuoiK8V9jGPFM/rZ9NhfGzVodUM3YW0nB89rcH84RZYG8DLN6HQCkubhXRasaUA7K7h+3lZamvjyookCKgwBWzlu6vCX1eURNonlpROKDMQKBVqofzDshoxJHbAdjZcKqCfEt5vgt07jQB8OABEnd9fROXGjobZcsdaOkEjTvELBFteszn3jqJa1HvAPkpE5gs00qstYhkLp1L+MgFUoKXEL4WViIcGGNpbyyXZKBlebQs4TypEMrC0SUg0PsB7mmSQ4ESN3oL02+qpL14r8rTcWPMVTQH9/bLARbe3XOvj+AriFcBjSRm8ai2Vy0=", "c2_domain": ["microsoft.com/windowsdisabler", "https://technoshoper.com", "https://avolebukoneh.website", "http://technoshoper.com", "http://avolebukoneh.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"} |
Source: 4.2.rundll32.exe.3070000.1.unpack | Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: 3.2.regsvr32.exe.1c0000.1.unpack | Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: DAImS4qg20.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll |
Source: unknown | HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.7:49820 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.7:49819 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 37.120.206.119:443 -> 192.168.2.7:49922 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 37.120.206.119:443 -> 192.168.2.7:49923 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 66.254.114.238:443 -> 192.168.2.7:49924 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 66.254.114.238:443 -> 192.168.2.7:49925 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 37.120.206.119:443 -> 192.168.2.7:49926 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 66.254.114.238:443 -> 192.168.2.7:49927 version: TLS 1.2 |
Source: DAImS4qg20.dll | Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_72B95B80 FindNextFileA,FindClose,FindFirstFileA,FindFirstFileA,FindNextFileA,SetFilePointer,CreateFileA,CloseHandle,ReadFile,CreateFileA,CreateFileA,SetFilePointer,GetLastError,SetFilePointer,GetLastError,ReadFile,ReadFile,CloseHandle,CreateFileA,FindNextFileA, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_72B9A3C6 FindFirstFileExW, |
Source: C:\Windows\SysWOW64\regsvr32.exe | Code function: 3_2_72B95B80 FindNextFileA,FindClose,FindFirstFileA,FindFirstFileA,FindNextFileA,SetFilePointer,CreateFileA,CloseHandle,ReadFile,CreateFileA,CreateFileA,SetFilePointer,GetLastError,SetFilePointer,GetLastError,ReadFile,ReadFile,FindCloseChangeNotification,CreateFileA,FindNextFileA, |
Source: C:\Windows\SysWOW64\regsvr32.exe | Code function: 3_2_72B9A3C6 FindFirstFileExW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Domain query: avolebukoneh.website |
Source: C:\Windows\SysWOW64\rundll32.exe | Domain query: technoshoper.com |
Source: C:\Windows\SysWOW64\rundll32.exe | Domain query: www.redtube.com |
Source: unknown | Network traffic detected: HTTP traffic on port 49924 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49820 |
Source: unknown | Network traffic detected: HTTP traffic on port 49922 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49819 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49926 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49898 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49908 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49819 |
Source: unknown | Network traffic detected: HTTP traffic on port 49904 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49906 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49902 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49899 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49898 |
Source: unknown | Network traffic detected: HTTP traffic on port 49900 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49897 |
Source: unknown | Network traffic detected: HTTP traffic on port 49925 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49923 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49820 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49927 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49899 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49897 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49908 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49907 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49906 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49905 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49927 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49904 |
Source: unknown | Network traffic detected: HTTP traffic on port 49907 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49926 |
Source: unknown | Network traffic detected: HTTP traffic on port 49905 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49903 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49925 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49902 |
Source: unknown | Network traffic detected: HTTP traffic on port 49903 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49924 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49901 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49923 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49900 |
Source: unknown | Network traffic detected: HTTP traffic on port 49901 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49922 |
Source: de-ch[1].htm.8.dr | String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook) |
Source: loaddll32.exe, 00000000.00000003.769838375.0000000004721000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.767168012.0000000004FF1000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.768653159.00000000052CE000.00000004.00000040.sdmp | String found in binary or memory: href="http://www.twitter.com/RedTube" equals www.twitter.com (Twitter) |
Source: loaddll32.exe, 00000000.00000003.769971905.000000000161B000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.767168012.0000000004FF1000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.768653159.00000000052CE000.00000004.00000040.sdmp | String found in binary or memory: <a class="social-icon twitter" title="Twitter" href="http://www.twitter.com/RedTube" target="_blank" rel="nofollow"> equals www.twitter.com (Twitter) |
Source: msapplication.xml0.5.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7a93f998,0x01d7dff0</date><accdate>0x7aabd0f7,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook) |
Source: msapplication.xml5.5.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7d2ac776,0x01d7dff0</date><accdate>0x7d49c6d9,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter) |
Source: msapplication.xml7.5.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7e2ea756,0x01d7dff0</date><accdate>0x7e4da522,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube) |
Source: de-ch[1].htm.8.dr | String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail) |
Source: 52-478955-68ddb2ab[1].js.8.dr | String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter) |
Source: de-ch[1].htm.8.dr | String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+" Ref 2: "+e.html(t.clientSettings.sid||"000000")+" Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Log |