Loading ...

Play interactive tourEdit tour

Windows Analysis Report 2zTgaLRFkL.dll

Overview

General Information

Sample Name:2zTgaLRFkL.dll
Analysis ID:526326
MD5:096d27e730a16660704e6713fdc89173
SHA1:880a73f218d5b4ba3f734c14ed3b84ef036aa85a
SHA256:5bbba6d13c8222ef2cc5c4aecf14043f1e74d164ab2a1b3e4b68ee6cb086900c
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
Tries to detect virtualization through RDTSC time measurements
Potentially malicious time measurement code found
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Tries to load missing DLLs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Registers a DLL
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5092 cmdline: loaddll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 2244 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4888 cmdline: rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 2076 cmdline: regsvr32.exe /s C:\Users\user\Desktop\2zTgaLRFkL.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • iexplore.exe (PID: 764 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 5164 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • rundll32.exe (PID: 5132 cmdline: rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4380 cmdline: rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,abetfoehywujav MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6004 cmdline: rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,abjqkqaxstop MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "v1wySnSj0/Qezkq1+zqVG7OQdnxYD8ELZYNPMCkM69BOSUxuoiK8V9jGPFM/rZ9NhfGzVodUM3YW0nB89rcH84RZYG8DLN6HQCkubhXRasaUA7K7h+3lZamvjyookCKgwBWzlu6vCX1eURNonlpROKDMQKBVqofzDshoxJHbAdjZcKqCfEt5vgt07jQB8OABEnd9fROXGjobZcsdaOkEjTvELBFteszn3jqJa1HvAPkpE5gs00qstYhkLp1L+MgFUoKXEL4WViIcGGNpbyyXZKBlebQs4TypEMrC0SUg0PsB7mmSQ4ESN3oL02+qpL14r8rTcWPMVTQH9/bLARbe3XOvj+AriFcBjSRm8ai2Vy0=", "c2_domain": ["microsoft.com/windowsdisabler", "https://technoshoper.com", "https://avolebukoneh.website", "http://technoshoper.com", "http://avolebukoneh.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.911757798.0000000004620000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000002.00000002.911635582.0000000004600000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000005.00000002.911557435.0000000002ED0000.00000040.00000010.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000005.00000002.911406171.0000000002EB0000.00000004.00000010.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.rundll32.exe.2ed0000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            2.2.regsvr32.exe.4620000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              5.2.rundll32.exe.2eb0000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.2.regsvr32.exe.4620000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.2.regsvr32.exe.4600000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    Click to see the 1 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 2.2.regsvr32.exe.4620000.1.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "v1wySnSj0/Qezkq1+zqVG7OQdnxYD8ELZYNPMCkM69BOSUxuoiK8V9jGPFM/rZ9NhfGzVodUM3YW0nB89rcH84RZYG8DLN6HQCkubhXRasaUA7K7h+3lZamvjyookCKgwBWzlu6vCX1eURNonlpROKDMQKBVqofzDshoxJHbAdjZcKqCfEt5vgt07jQB8OABEnd9fROXGjobZcsdaOkEjTvELBFteszn3jqJa1HvAPkpE5gs00qstYhkLp1L+MgFUoKXEL4WViIcGGNpbyyXZKBlebQs4TypEMrC0SUg0PsB7mmSQ4ESN3oL02+qpL14r8rTcWPMVTQH9/bLARbe3XOvj+AriFcBjSRm8ai2Vy0=", "c2_domain": ["microsoft.com/windowsdisabler", "https://technoshoper.com", "https://avolebukoneh.website", "http://technoshoper.com", "http://avolebukoneh.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                    Source: 2zTgaLRFkL.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                    Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.5:49757 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.5:49756 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49760 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49759 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49761 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49762 version: TLS 1.2
                    Source: 2zTgaLRFkL.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73215FE6 FindFirstFileExW,0_2_73215FE6
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_73215FE6 FindFirstFileExW,2_2_73215FE6
                    Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
                    Source: Joe Sandbox ViewIP Address: 104.26.3.70 104.26.3.70
                    Source: Joe Sandbox ViewIP Address: 172.67.70.134 172.67.70.134
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                    Source: de-ch[1].htm.6.drString found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
                    Source: msapplication.xml2.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x81446d26,0x01d7dff0</date><accdate>0x835a7b73,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                    Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x88561c8b,0x01d7dff0</date><accdate>0x8b868e13,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                    Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8bf8fed4,0x01d7dff0</date><accdate>0x8c159c3d,0x01d7dff0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                    Source: de-ch[1].htm.6.drString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
                    Source: de-ch[1].htm.6.drString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
                    Source: de-ch[1].htm.6.drString found in binary or memory: http://ogp.me/ns#
                    Source: de-ch[1].htm.6.drString found in binary or memory: http://ogp.me/ns/fb#
                    Source: {8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
                    Source: imagestore.dat.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                    Source: msapplication.xml1.4.drString found in binary or memory: http://www.amazon.com/
                    Source: msapplication.xml3.4.drString found in binary or memory: http://www.google.com/
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
                    Source: msapplication.xml4.4.drString found in binary or memory: http://www.live.com/
                    Source: msapplication.xml5.4.drString found in binary or memory: http://www.nytimes.com/
                    Source: msapplication.xml6.4.drString found in binary or memory: http://www.reddit.com/
                    Source: msapplication.xml7.4.drString found in binary or memory: http://www.twitter.com/
                    Source: msapplication.xml.4.drString found in binary or memory: http://www.wikipedia.com/
                    Source: msapplication.xml0.4.drString found in binary or memory: http://www.youtube.com/
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://amzn.to/2TTxhNg
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
                    Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.drString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/oneTrust/1.2/consent/55a804ab-e5c6-4b97-9319-86263d36
                    Source: auction[2].htm.6.drString found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=MJ_W730GIS_QkG6Z3slmnzoRpVQc.g8KNhy8thvyLfijZDMu
                    Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
                    Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
                    Source: auction[2].htm.6.drString found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html&quot;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_promotionalstripe_na
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://client-s.gateway.messenger.live.com
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=195119&amp;a=3064090&amp;g=25021476
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24545562
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&amp;a=3064090&amp;g=24886692
                    Source: {8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
                    Source: {8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                    Source: {8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://doceree.com/.well-known/deviceStorage.json
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://doceree.com/us-privacy-policy/
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://evorra.com/product-privacy-policy/
                    Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
                    Source: auction[2].htm.6.drString found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&amp;es=1pthyrgGIS_CP6RinMZ9JLQidWOhQxu_ti3Yy1VE1q4K
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1637587730&amp;rver=7.0.6730.0&am
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/logout.srf?ct=1637587731&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1637587730&amp;rver=7.0.6730.0&amp;w
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://nextmillennium.io/privacy-policy/
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/#qt=mru
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com/about/en/download/
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com;Fotos
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com;OneDrive-App
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://optimise-it.de/datenschutz
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://outlook.com/
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://outlook.live.com/calendar
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
                    Source: auction[2].htm.6.drString found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
                    Source: {8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
                    Source: auction[2].htm.6.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/CHE6ysqAlt744fnx0c7isA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://secure.adnxs.com/clktrb?id=764680&amp;t=1
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://silvermob.com/privacy
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://smartyads.com/privacy-policy
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-shoppingstripe-nav
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
                    Source: auction[2].htm.6.drString found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=89e9c689e4e442bc8decc0870f35ae96&amp;r=infopane&amp;i=1&
                    Source: ~DFBB4D173838662490.TMP.4.dr, imagestore.dat.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAQYSTg.img?h=368&amp;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&amp;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://support.skype.com
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?&quot;
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://twitter.com/
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://twitter.com/i/notifications;Ich
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://www.bidstack.com/privacy-policy/
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://www.botman.ninja/privacy-policy
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.ebay.ch/?mkcid=1&amp;mkrid=5222-53480-19255-0&amp;siteid=193&amp;campid=5338626668&amp;t
                    Source: imagestore.dat.6.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/
                    Source: {8D788005-4BE3-11EC-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/bei-den-%c3%a4rzten-schauen-die-beh%c3%b6rden-einfach-weg/ar-AA
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/brand-an-der-langstrasse/ar-AAQXL4f?ocid=hplocalnews
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/defektes-paket-mit-radioaktivem-inhalt-in-swiss-flieger-entdeck
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/jacqueline-hofer-tritt-doch-nicht-zur-wiederwahl-an/ar-AAQTAnf?
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/mehrere-tausend-menschen-demonstrieren-in-z%c3%bcrich/ar-AAQWtO
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/sie-bew%c3%a4ltigen-alltagsstress-und-todesszenen/ar-AAQUall?oc
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/t%c3%b6fffahrer-liefert-sich-wilde-verfolgungsjagd-mit-der-poli
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/news/other/t%c3%b6fffahrer-st%c3%bcrzt-nach-verfolgungsjagd-mit-der-polize
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/sport/fussball/der-fcz-zittert-und-steht-doch-ganz-oben/ar-AAQWrxt?ocid=hp
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/sport/other/runter-rauf-runter-wie-gc-in-genf-vom-weg-abkommt/ar-AAQYdQe?o
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://www.onlineumfragen.com/3index_2010_agb.cfm
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://www.queryclick.com/privacy-policy
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.skype.com/
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.skype.com/de
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.skype.com/de/download-skype
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://www.stroeer.de/ssp-datenschutz
                    Source: iab2Data[1].json.6.drString found in binary or memory: https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c
                    Source: 52-478955-68ddb2ab[1].js.6.drString found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.tippsundtricks.co/gesundheit/finger-persoenlichkeit/?utm_campaign=DECH-Finger&amp;utm_so
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.tippsundtricks.co/gesundheit/knoblauchzehe-unters-kopfkissen/?utm_campaign=DECH-Knoblauc
                    Source: de-ch[1].htm.6.drString found in binary or memory: https://www.tippsundtricks.co/lifehacks/schwamm-kuhlschrank/?utm_campaign=DECH-schwamm&amp;utm_sourc
                    Source: unknownDNS traffic detected: queries for: www.msn.com
                    Source: global trafficHTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /px.gif?ch=1&e=0.4482105559414631 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.5:49757 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.5:49756 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49760 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49759 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49761 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49762 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 5.2.rundll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.regsvr32.exe.4620000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.rundll32.exe.2eb0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.regsvr32.exe.4620000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.regsvr32.exe.4600000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.rundll32.exe.2ed0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.911757798.0000000004620000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.911635582.0000000004600000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.911557435.0000000002ED0000.00000040.00000010.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.911406171.0000000002EB0000.00000004.00000010.sdmp, type: MEMORY
                    Source: loaddll32.exe, 00000000.00000002.892680935.000000000164B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    E-Banking Fraud:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 5.2.rundll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.regsvr32.exe.4620000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.rundll32.exe.2eb0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.regsvr32.exe.4620000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.regsvr32.exe.4600000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.rundll32.exe.2ed0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.911757798.0000000004620000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.911635582.0000000004600000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.911557435.0000000002ED0000.00000040.00000010.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.911406171.0000000002EB0000.00000004.00000010.sdmp, type: MEMORY
                    Source: 2zTgaLRFkL.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_7321BF430_2_7321BF43
                    Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_732110000_2_73211000
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_7321BF432_2_7321BF43
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_732110002_2_73211000
                    Source: 2zTgaLRFkL.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1
                    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll"
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2zTgaLRFkL.dll
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,DllRegisterServer
                    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:17410 /prefetch:2
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,abetfoehywujav
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,abjqkqaxstop
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1Jump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2zTgaLRFkL.dllJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,DllRegisterServerJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,abetfoehywujavJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2zTgaLRFkL.dll,abjqkqaxstopJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2zTgaLRFkL.dll",#1Jump to behavior
                    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:17410 /prefetch:2Jump to behavior
                    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8D788003-4BE3-11EC-90E5-ECF4BB570DC9}.datJump to behavior
                    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFA1E2BE88D585CFB5.TMPJump to behavior
                    Source: classification engineClassification label: mal64.troj.evad.winDLL@17/115@11/3
                    Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                    Source: 2zTgaLRFkL.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: 2zTgaLRFkL.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: 2zTgaLRFkL.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: 2zTgaLRFkL.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: 2zTgaLRFkL.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: 2zTgaLRFkL.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: 2zTgaLRFkL.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                    Source: 2zTgaLRFkL.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: 2zTgaLRFkL.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: 2zTgaLRFkL.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: 2zTgaLRFkL.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: 2zTgaLRFkL.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: 2zTgaLRFkL.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                    Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73213230 push ecx; ret 0_2_73213243
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_73213230 push ecx; ret 2_2_73213243
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2zTgaLRFkL.dll

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 5.2.rundll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.regsvr32.exe.4620000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.rundll32.exe.2eb0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.regsvr32.exe.4620000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.regsvr32.exe.4600000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.rundll32.exe.2ed0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.911757798.0000000004620000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.911635582.0000000004600000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.911557435.0000000002ED0000.00000040.00000010.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.911406171.0000000002EB0000.00000004.00000010.sdmp, type: MEMORY
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion:

                    bar