Windows Analysis Report WTXuYxax6d.dll

AV Detection:

Found malware configuration

Source: 3.2.rundll32.exe.a60000.2.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "v1wySnSj0/Qezkq1+zqVG7OQdnxYD8ELZYNPMCkM69BOSUxuoiK8V9jGPFM/rZ9NhfGzVodUM3YW0nB89rcH84RZYG8DLN6HQCkubhXRasaUA7K7h+3lZamvjyookCKgwBWzlu6vCX1eURNonlpROKDMQKBVqofzDshoxJHbAdjZcKqCfEt5vgt07jQB8OABEnd9fROXGjobZcsdaOkEjTvELBFteszn3jqJa1HvAPkpE5gs00qstYhkLp1L+MgFUoKXEL4WViIcGGNpbyyXZKBlebQs4TypEMrC0SUg0PsB7mmSQ4ESN3oL02+qpL14r8rTcWPMVTQH9/bLARbe3XOvj+AriFcBjSRm8ai2Vy0=", "c2_domain": ["microsoft.com/windowsdisabler", "https://technoshoper.com", "https://avolebukoneh.website", "http://technoshoper.com", "http://avolebukoneh.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Source: WTXuYxax6d.dll	Virustotal: Detection: 18%			Perma Link
Source: WTXuYxax6d.dll	ReversingLabs: Detection: 25%

Multi AV Scanner detection for domain / URL

Source: technoshoper.com	Virustotal: Detection: 6%			Perma Link
Source: avolebukoneh.website	Virustotal: Detection: 6%			Perma Link
Source: http://avolebukoneh.website	Virustotal: Detection: 6%			Perma Link

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.rundll32.exe.a60000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 2.2.regsvr32.exe.9f0000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.920000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D6AD0 CryptDecrypt,CryptImportKey,VirtualAlloc,		0_2_736D6AD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D61F0 DllRegisterServer,VirtualAlloc,VirtualAlloc,CryptSetKeyParam,CryptAcquireContextA,CryptImportKey,CryptDecrypt,CryptReleaseContext,CryptDestroyKey,CryptImportKey,CryptDecrypt,VirtualAlloc,VirtualAlloc,		0_2_736D61F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D6AD0 CryptDecrypt,CryptImportKey,VirtualAlloc,		2_2_736D6AD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D61F0 DllRegisterServer,VirtualAlloc,VirtualAlloc,CryptSetKeyParam,CryptAcquireContextA,CryptImportKey,CryptDecrypt,CryptReleaseContext,CryptDestroyKey,CryptImportKey,CryptDecrypt,VirtualAlloc,VirtualAlloc,		2_2_736D61F0

Compliance:

Uses 32bit PE files

Source: WTXuYxax6d.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.6:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.6:49821 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: WTXuYxax6d.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736DA676 FindFirstFileExW,		0_2_736DA676
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736DA676 FindFirstFileExW,		2_2_736DA676

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: avolebukoneh.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.9.20.245 187			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: technoshoper.com

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.26.7.139 104.26.7.139

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Found strings which match to known social media urls

Source: de-ch[1].htm.6.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x5b7697ab,0x01d7e09b</date><accdate>0x5bc2e279,0x01d7e09b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x5cea86ad,0x01d7e09b</date><accdate>0x5d098694,0x01d7e09b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x5d6da6d7,0x01d7e09b</date><accdate>0x5d8ca4fa,0x01d7e09b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.6.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.6.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

URLs found in memory or binary data

Source: rundll32.exe, 00000003.00000003.612905346.0000000004FD8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000002.884237946.00000000052F8000.00000004.00000040.sdmp	String found in binary or memory: http://avolebukoneh.website
Source: rundll32.exe, 00000003.00000003.612905346.0000000004FD8000.00000004.00000040.sdmp	String found in binary or memory: http://avolebukoneh.website/glik/.lwe.bmp08899
Source: regsvr32.exe, 00000002.00000003.620315557.00000000053B8000.00000004.00000040.sdmp	String found in binary or memory: http://avolebukoneh.website/glik/.lwe.bmp088991256473871MNTYAIDA1010010B
Source: regsvr32.exe, 00000002.00000002.880576445.0000000002F97000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: loaddll32.exe, 00000000.00000002.880735294.00000000016F0000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.756172604.0000000002F70000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.mic
Source: {5EF2C13E-4C8E-11EC-90E5-ECF4BB2D2496}.dat.4.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: imagestore.dat.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: rundll32.exe, 00000003.00000003.612905346.0000000004FD8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000002.884237946.00000000052F8000.00000004.00000040.sdmp	String found in binary or memory: http://technoshoper.com
Source: msapplication.xml.4.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.4.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.4.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.4.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.4.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.4.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.4.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.4.dr	String found in binary or memory: http://www.youtube.com/
Source: rundll32.exe, 00000003.00000002.884652837.00000000054F0000.00000004.00000001.sdmp	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: regsvr32.exe, 00000002.00000003.734351733.0000000003000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.726519233.00000000054F1000.00000004.00000001.sdmp	String found in binary or memory: https://aka.ms/MicrosoftEdgeDownload"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/oneTrust/1.2/consent/55a804ab-e5c6-4b97-9319-86263d36
Source: regsvr32.exe, 00000002.00000003.734498309.0000000004FC1000.00000004.00000040.sdmp	String found in binary or memory: https://assets.onestore.ms/cdnfiles/external/mwf/long/v1/v1.25.0/css/mwf-west-european-default.min.c
Source: rundll32.exe, 00000005.00000003.726877023.0000000005896000.00000004.00000001.sdmp	String found in binary or memory: https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respond-proxy.html
Source: rundll32.exe, 00000003.00000003.612905346.0000000004FD8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000002.884237946.00000000052F8000.00000004.00000040.sdmp	String found in binary or memory: https://avolebukoneh.website
Source: regsvr32.exe, 00000002.00000002.880576445.0000000002F97000.00000004.00000020.sdmp	String found in binary or memory: https://avolebukoneh.website/
Source: regsvr32.exe, 00000002.00000003.845351193.0000000002F97000.00000004.00000001.sdmp	String found in binary or memory: https://avolebukoneh.website/e
Source: regsvr32.exe, 00000002.00000003.800848610.0000000002F76000.00000004.00000001.sdmp	String found in binary or memory: https://avolebukoneh.website/glik/KwktcAgJA3haqk0/Ms0fL0B4XccTTFIyK9/usG_2BHjp/uyERKVkE6Su_2Fw3uS2y/
Source: regsvr32.exe, 00000002.00000003.845331673.0000000002F70000.00000004.00000001.sdmp	String found in binary or memory: https://avolebukoneh.website/glik/kUbizXMZCF/wcseO9tQzGMWY7_2B/Eo6XsQr55EXJ/TJZ97_2F328/3bdZBpl1pP_2
Source: regsvr32.exe, 00000002.00000003.686079514.0000000002F76000.00000004.00000001.sdmp	String found in binary or memory: https://avolebukoneh.website/glik/oPO1MTCZATyGVB9JDx/_2BxLrMZv/XGH5EgNCAONySOCpr4U_/2F_2FSC6yLxw_2BR
Source: regsvr32.exe, 00000002.00000003.823530558.0000000002F70000.00000004.00000001.sdmp	String found in binary or memory: https://avolebukoneh.website/glik/pAGZhq9MI53nZ7
Source: regsvr32.exe, 00000002.00000003.756172604.0000000002F70000.00000004.00000001.sdmp	String found in binary or memory: https://avolebukoneh.website/glik/pAGZhq9MI53nZ7OH/rIg4LX9fBTj6p
Source: regsvr32.exe, 00000002.00000003.731474179.0000000002F70000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.731155022.0000000002F76000.00000004.00000001.sdmp	String found in binary or memory: https://avolebukoneh.website/glik/pAGZhq9MI53nZ7OH/rIg4LX9fBTj6pjl/8TeMZNhc43A_2FVYsQ/YCg3QZ_2F/BXKX
Source: regsvr32.exe, 00000002.00000003.845351193.0000000002F97000.00000004.00000001.sdmp	String found in binary or memory: https://avolebukoneh.website/l
Source: regsvr32.exe, 00000002.00000003.845351193.0000000002F97000.00000004.00000001.sdmp	String found in binary or memory: https://avolebukoneh.website/lI
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=195119&a=3064090&g=25021476
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562
Source: {5EF2C13E-4C8E-11EC-90E5-ECF4BB2D2496}.dat.4.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {5EF2C13E-4C8E-11EC-90E5-ECF4BB2D2496}.dat.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {5EF2C13E-4C8E-11EC-90E5-ECF4BB2D2496}.dat.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://doceree.com/.well-known/deviceStorage.json
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://doceree.com/us-privacy-policy/
Source: rundll32.exe, 00000005.00000003.726877023.0000000005896000.00000004.00000001.sdmp	String found in binary or memory: https://docs.microsoft.co
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://evorra.com/product-privacy-policy/
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: rundll32.exe, 00000003.00000003.726519233.00000000054F1000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1637661098&rver
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1637661098&rver=7.0.6730.0&am
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1637661099&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1637661098&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://nextmillennium.io/privacy-policy/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://optimise-it.de/datenschutz
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: {5EF2C13E-4C8E-11EC-90E5-ECF4BB2D2496}.dat.4.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://secure.adnxs.com/clktrb?id=764680&t=1
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://silvermob.com/privacy
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://smartyads.com/privacy-policy
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAQXqYx.img?h=368&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: rundll32.exe, 00000003.00000002.884652837.00000000054F0000.00000004.00000001.sdmp	String found in binary or memory: https://statics-marketingsites-eus-ms-com.akamaized.net/statics/override.css
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://support.skype.com
Source: loaddll32.exe, 00000000.00000002.880807454.0000000001AE8000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.620315557.00000000053B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.612905346.0000000004FD8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000002.884237946.00000000052F8000.00000004.00000040.sdmp	String found in binary or memory: https://technoshoper.com
Source: regsvr32.exe, 00000002.00000002.880576445.0000000002F97000.00000004.00000020.sdmp	String found in binary or memory: https://technoshoper.com/
Source: regsvr32.exe, 00000002.00000003.823390201.0000000002F97000.00000004.00000001.sdmp	String found in binary or memory: https://technoshoper.com/H
Source: regsvr32.exe, 00000002.00000003.708524872.0000000002F97000.00000004.00000001.sdmp	String found in binary or memory: https://technoshoper.com/Y
Source: regsvr32.exe, 00000002.00000002.880512445.0000000002F70000.00000004.00000020.sdmp	String found in binary or memory: https://technoshoper.com/glik/DGgts_2FWsor6_2F7EcO1Do/0g4WUbLA1T/K9_2Bu0NIeWan9Hma/XZBvL_2BDNj7/jAap
Source: regsvr32.exe, 00000002.00000003.778713654.0000000002F76000.00000004.00000001.sdmp	String found in binary or memory: https://technoshoper.com/glik/OQ_2FSYw86Sxjr/PESASP_2FSM3YGvvX26Dq/ljvCWkBfAIxpXwGa/HkN5fLu170jCgxh/
Source: regsvr32.exe, 00000002.00000003.708500123.0000000002F76000.00000004.00000001.sdmp	String found in binary or memory: https://technoshoper.com/glik/lsOg58W5F/6ZKRcoE0Nf7NwQdc4and/0Ilh3sQ5ND8zcWVsYpl/LRv_2FK7ZV_2F34vpiC
Source: regsvr32.exe, 00000002.00000003.664286279.0000000002F73000.00000004.00000001.sdmp	String found in binary or memory: https://technoshoper.com/glik/qu_2BrFb5C/WnN6ktioLVJSC7NZ8/8U42mL0TVXds/GucNTaVpvRD/cGAaQnoHqkvTq7/u
Source: regsvr32.exe, 00000002.00000003.845351193.0000000002F97000.00000004.00000001.sdmp	String found in binary or memory: https://technoshoper.com/glik/rHKCmFtHVZPPm/wqY5wPH_/2F29vTv7wl_2FGq_2BrLvy6/oSB1MCzJ6Y/1nsQKibmjik_
Source: regsvr32.exe, 00000002.00000003.778604990.0000000002F97000.00000004.00000001.sdmp	String found in binary or memory: https://technoshoper.com/k
Source: loaddll32.exe, 00000000.00000002.880807454.0000000001AE8000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.620315557.00000000053B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.612905346.0000000004FD8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000002.884237946.00000000052F8000.00000004.00000040.sdmp	String found in binary or memory: https://technoshoper.comhttps://avolebukoneh.websitehttp://technoshoper.comhttp://avolebukoneh.websi
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.botman.ninja/privacy-policy
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: imagestore.dat.6.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {5EF2C13E-4C8E-11EC-90E5-ECF4BB2D2496}.dat.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/%c3%b6ffentliche-terrassen-und-mehr-velowege-dar%c3%bcber-stimm
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/brand-an-der-langstrasse/ar-AAQXL4f?ocid=hplocalnews
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/defektes-paket-mit-radioaktivem-inhalt-in-swiss-flieger-entdeck
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-stadt-will-neue-velostationen-und-f%c3%bchrt-vierstunden-pa
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/er-schrie-g%c3%b6nd-weg-verpisst-euch-dann-gab-er-gas/ar-AAR0rV
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kann-bei-diesem-tempo-und-so-vielen-passagieren-nicht-einfach-b
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/t%c3%b6fffahrer-liefert-sich-wilde-verfolgungsjagd-mit-der-poli
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/t%c3%b6fffahrer-st%c3%bcrzt-nach-verfolgungsjagd-mit-der-polize
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/whistleblower-verliert-vor-gericht-gegen-z%c3%bcrcher-unispital
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/sport/other/runter-rauf-runter-wie-gc-in-genf-vom-weg-abkommt/ar-AAQYdQe?o
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.onlineumfragen.com/3index_2010_agb.cfm
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.queryclick.com/privacy-policy
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.de/ssp-datenschutz
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/gesundheit/finger-persoenlichkeit/?utm_campaign=DECH-Finger&utm_so
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/gesundheit/knoblauchzehe-unters-kopfkissen/?utm_campaign=DECH-Knoblauc
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/schwamm-kuhlschrank/?utm_campaign=DECH-schwamm&utm_sourc

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.msn.com

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.6:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.6:49821 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000003.620315557.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.884237946.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613835753.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612905346.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612880805.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612995967.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880807454.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701819091.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.613174085.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.664565353.000000000513D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620214841.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.702016309.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613794834.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.642767964.000000000523B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.881549232.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620265495.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.635568127.0000000004E5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620243933.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613948347.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620142786.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701985470.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.679769381.0000000004C5F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.702307918.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.657340118.0000000004D5D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620475830.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701915707.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613862631.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613818747.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.884432102.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613737711.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620285363.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.613014620.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612932234.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.658506384.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612953290.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620302187.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612852123.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701957231.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.746687116.000000000186D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.768852725.000000000176F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.686987362.000000000503F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701777888.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.702038882.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.724522780.000000000196B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.636697378.000000000517B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.681026277.0000000004F7F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620184852.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613707607.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701868957.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612982412.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613851431.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613762692.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 7000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
Source: Yara match	File source: 5.2.rundll32.exe.2b80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4ea94a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.9f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.12994a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a60000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4ea94a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.9e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49a94a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2b80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.d80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d494a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d494a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49a94a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.880000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.12994a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2b70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.883888908.0000000004D49000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.881014887.0000000002B80000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.879831053.0000000000A50000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.879916049.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.879772547.0000000000A40000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.884087885.00000000049A9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.881330354.0000000004EA9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.879852238.0000000000B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880442482.0000000001299000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878853677.0000000000870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.879036722.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878927946.0000000000880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.879010768.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.879009895.0000000000920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.880994352.0000000002B70000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.878979369.0000000000990000.00000004.00000001.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000003.620315557.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.884237946.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613835753.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612905346.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612880805.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612995967.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880807454.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701819091.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.613174085.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.664565353.000000000513D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620214841.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.702016309.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613794834.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.642767964.000000000523B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.881549232.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620265495.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.635568127.0000000004E5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620243933.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613948347.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620142786.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701985470.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.679769381.0000000004C5F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.702307918.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.657340118.0000000004D5D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620475830.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701915707.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613862631.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613818747.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.884432102.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613737711.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620285363.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.613014620.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612932234.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.658506384.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612953290.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620302187.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612852123.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701957231.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.746687116.000000000186D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.768852725.000000000176F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.686987362.000000000503F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701777888.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.702038882.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.724522780.000000000196B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.636697378.000000000517B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.681026277.0000000004F7F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620184852.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613707607.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701868957.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612982412.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613851431.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613762692.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 7000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
Source: Yara match	File source: 5.2.rundll32.exe.2b80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4ea94a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.9f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.12994a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a60000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4ea94a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.9e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49a94a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2b80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.d80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d494a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d494a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49a94a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.880000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.12994a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2b70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.883888908.0000000004D49000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.881014887.0000000002B80000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.879831053.0000000000A50000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.879916049.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.879772547.0000000000A40000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.884087885.00000000049A9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.881330354.0000000004EA9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.879852238.0000000000B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880442482.0000000001299000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878853677.0000000000870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.879036722.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878927946.0000000000880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.879010768.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.879009895.0000000000920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.880994352.0000000002B70000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.878979369.0000000000990000.00000004.00000001.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D6AD0 CryptDecrypt,CryptImportKey,VirtualAlloc,		0_2_736D6AD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D61F0 DllRegisterServer,VirtualAlloc,VirtualAlloc,CryptSetKeyParam,CryptAcquireContextA,CryptImportKey,CryptDecrypt,CryptReleaseContext,CryptDestroyKey,CryptImportKey,CryptDecrypt,VirtualAlloc,VirtualAlloc,		0_2_736D61F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D6AD0 CryptDecrypt,CryptImportKey,VirtualAlloc,		2_2_736D6AD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D61F0 DllRegisterServer,VirtualAlloc,VirtualAlloc,CryptSetKeyParam,CryptAcquireContextA,CryptImportKey,CryptDecrypt,CryptReleaseContext,CryptDestroyKey,CryptImportKey,CryptDecrypt,VirtualAlloc,VirtualAlloc,		2_2_736D61F0

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: WTXuYxax6d.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D6760		0_2_736D6760
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D5BB0		0_2_736D5BB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736E05D3		0_2_736E05D3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D48B0		0_2_736D48B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D489D		0_2_736D489D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A8E8A8		0_2_00A8E8A8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A83089		0_2_00A83089
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A8E8FB		0_2_00A8E8FB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A8AF14		0_2_00A8AF14
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A8235B		0_2_00A8235B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D6760		2_2_736D6760
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D5BB0		2_2_736D5BB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736E05D3		2_2_736E05D3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D48B0		2_2_736D48B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D489D		2_2_736D489D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A621B4		3_2_00A621B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9E8A8		3_2_00A9E8A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A93089		3_2_00A93089
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9E8FB		3_2_00A9E8FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9AF14		3_2_00A9AF14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9235B		3_2_00A9235B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02B821B4		5_2_02B821B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02BBE8A8		5_2_02BBE8A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02BB3089		5_2_02BB3089
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02BBE8FB		5_2_02BBE8FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02BBAF14		5_2_02BBAF14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02BB235B		5_2_02BB235B

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 736D82C0 appears 60 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 736D82C0 appears 60 times

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A86307 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		0_2_00A86307
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A8B139 NtQueryVirtualMemory,		0_2_00A8B139
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A6138A NtMapViewOfSection,		3_2_00A6138A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A612E2 GetProcAddress,NtCreateSection,memset,		3_2_00A612E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A6156C SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,		3_2_00A6156C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A623D5 NtQueryVirtualMemory,		3_2_00A623D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A96307 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		3_2_00A96307
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9B139 NtQueryVirtualMemory,		3_2_00A9B139
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02B8138A NtMapViewOfSection,		5_2_02B8138A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02B8156C SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,		5_2_02B8156C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02B812E2 GetProcAddress,NtCreateSection,memset,		5_2_02B812E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02B823D5 NtQueryVirtualMemory,		5_2_02B823D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02BB6307 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		5_2_02BB6307
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02BBB139 NtQueryVirtualMemory,		5_2_02BBB139

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Sample is known by Antivirus

Source: WTXuYxax6d.dll	Virustotal: Detection: 18%
Source: WTXuYxax6d.dll	ReversingLabs: Detection: 25%

PE file has an executable .text section and no other executable section

Source: WTXuYxax6d.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\WTXuYxax6d.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WTXuYxax6d.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\WTXuYxax6d.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WTXuYxax6d.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WTXuYxax6d.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7020 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WTXuYxax6d.dll,azfdnkcrayghb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WTXuYxax6d.dll,bngggbakts
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WTXuYxax6d.dll",#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\WTXuYxax6d.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WTXuYxax6d.dll,DllRegisterServer			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WTXuYxax6d.dll,azfdnkcrayghb			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WTXuYxax6d.dll,bngggbakts			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WTXuYxax6d.dll",#1			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7020 CREDAT:17410 /prefetch:2			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5EF2C13C-4C8E-11EC-90E5-ECF4BB2D2496}.dat

Jump to behavior

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFCCE32108ABF6B532.TMP

Jump to behavior

Classification label

Source: classification engine

Classification label: mal96.troj.evad.winDLL@17/114@45/3

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to enum processes or threads

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00A8A1D4 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00A8A1D4

Runs a DLL by calling functions

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WTXuYxax6d.dll",#1

Reads the hosts file

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

PE file contains a mix of data directories often seen in goodware

Source: WTXuYxax6d.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: WTXuYxax6d.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: WTXuYxax6d.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: WTXuYxax6d.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: WTXuYxax6d.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: WTXuYxax6d.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: WTXuYxax6d.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: WTXuYxax6d.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

PE file contains a valid data directory to section mapping

Source: WTXuYxax6d.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WTXuYxax6d.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WTXuYxax6d.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WTXuYxax6d.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WTXuYxax6d.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D78C0 push ecx; ret		0_2_736D78D3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A8ABD0 push ecx; ret		0_2_00A8ABD9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A8AF03 push ecx; ret		0_2_00A8AF13
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D78C0 push ecx; ret		2_2_736D78D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A621A3 push ecx; ret		3_2_00A621B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A62150 push ecx; ret		3_2_00A62159
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9ABD0 push ecx; ret		3_2_00A9ABD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9AF03 push ecx; ret		3_2_00A9AF13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02B821A3 push ecx; ret		5_2_02B821B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02B82150 push ecx; ret		5_2_02B82159
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02BBABD0 push ecx; ret		5_2_02BBABD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02BBAF03 push ecx; ret		5_2_02BBAF13

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00A616C3 LoadLibraryA,GetProcAddress,

3_2_00A616C3

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\WTXuYxax6d.dll

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.13842205011

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000003.620315557.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.884237946.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613835753.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612905346.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612880805.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612995967.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880807454.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701819091.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.613174085.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.664565353.000000000513D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620214841.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.702016309.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613794834.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.642767964.000000000523B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.881549232.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620265495.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.635568127.0000000004E5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620243933.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613948347.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620142786.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701985470.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.679769381.0000000004C5F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.702307918.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.657340118.0000000004D5D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620475830.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701915707.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613862631.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613818747.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.884432102.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613737711.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620285363.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.613014620.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612932234.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.658506384.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612953290.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620302187.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612852123.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701957231.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.746687116.000000000186D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.768852725.000000000176F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.686987362.000000000503F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701777888.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.702038882.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.724522780.000000000196B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.636697378.000000000517B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.681026277.0000000004F7F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620184852.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613707607.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701868957.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612982412.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613851431.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613762692.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 7000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
Source: Yara match	File source: 5.2.rundll32.exe.2b80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4ea94a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.9f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.12994a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a60000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4ea94a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.9e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49a94a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2b80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.d80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d494a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d494a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49a94a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.880000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.12994a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2b70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.883888908.0000000004D49000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.881014887.0000000002B80000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.879831053.0000000000A50000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.879916049.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.879772547.0000000000A40000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.884087885.00000000049A9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.881330354.0000000004EA9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.879852238.0000000000B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880442482.0000000001299000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878853677.0000000000870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.879036722.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878927946.0000000000880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.879010768.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.879009895.0000000000920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.880994352.0000000002B70000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.878979369.0000000000990000.00000004.00000001.sdmp, type: MEMORY

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4264	Thread sleep time: -1773297476s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5884	Thread sleep time: -210000s >= -30000s			Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736DA676 FindFirstFileExW,		0_2_736DA676
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736DA676 FindFirstFileExW,		2_2_736DA676

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: regsvr32.exe, 00000002.00000003.778713654.0000000002F76000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000002.00000003.845301317.0000000002F4A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWp{

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_736D9FB8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_736D9FB8

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00A616C3 LoadLibraryA,GetProcAddress,

3_2_00A616C3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_736DBD8C GetProcessHeap,

0_2_736DBD8C

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D6AD0 mov eax, dword ptr fs:[00000030h]		0_2_736D6AD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D6AD0 mov eax, dword ptr fs:[00000030h]		0_2_736D6AD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D9F85 mov eax, dword ptr fs:[00000030h]		0_2_736D9F85
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D6620 mov eax, dword ptr fs:[00000030h]		0_2_736D6620
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D8DCB mov eax, dword ptr fs:[00000030h]		0_2_736D8DCB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D6AD0 mov eax, dword ptr fs:[00000030h]		2_2_736D6AD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D6AD0 mov eax, dword ptr fs:[00000030h]		2_2_736D6AD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D9F85 mov eax, dword ptr fs:[00000030h]		2_2_736D9F85
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D6620 mov eax, dword ptr fs:[00000030h]		2_2_736D6620
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D8DCB mov eax, dword ptr fs:[00000030h]		2_2_736D8DCB

Contains functionality to register its own exception handler

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D9FB8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_736D9FB8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D7214 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_736D7214
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_736D76ED IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_736D76ED
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D9FB8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_736D9FB8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D7214 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_736D7214
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_736D76ED IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_736D76ED

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: avolebukoneh.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.9.20.245 187			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: technoshoper.com

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WTXuYxax6d.dll",#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000002.880973456.0000000001D00000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.881091593.0000000003530000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.881548512.0000000002F00000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.881470565.0000000003290000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.880973456.0000000001D00000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.881091593.0000000003530000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.881548512.0000000002F00000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.881470565.0000000003290000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.880973456.0000000001D00000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.881091593.0000000003530000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.881548512.0000000002F00000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.881470565.0000000003290000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000000.00000002.880973456.0000000001D00000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.881091593.0000000003530000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.881548512.0000000002F00000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.881470565.0000000003290000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_736D78D7 cpuid

0_2_736D78D7

Queries the cryptographic machine GUID

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_736D7336 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_736D7336

Contains functionality to query windows version

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00A87648 GetVersion,GetLastError,

0_2_00A87648

Contains functionality to query the account / user name

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00A89DE1 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_00A89DE1

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000003.620315557.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.884237946.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613835753.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612905346.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612880805.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612995967.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880807454.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701819091.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.613174085.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.664565353.000000000513D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620214841.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.702016309.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613794834.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.642767964.000000000523B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.881549232.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620265495.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.635568127.0000000004E5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620243933.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613948347.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620142786.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701985470.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.679769381.0000000004C5F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.702307918.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.657340118.0000000004D5D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620475830.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701915707.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613862631.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613818747.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.884432102.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613737711.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620285363.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.613014620.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612932234.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.658506384.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612953290.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620302187.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612852123.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701957231.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.746687116.000000000186D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.768852725.000000000176F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.686987362.000000000503F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701777888.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.702038882.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.724522780.000000000196B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.636697378.000000000517B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.681026277.0000000004F7F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620184852.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613707607.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701868957.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612982412.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613851431.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613762692.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 7000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
Source: Yara match	File source: 5.2.rundll32.exe.2b80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4ea94a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.9f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.12994a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a60000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4ea94a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.9e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49a94a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2b80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.d80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d494a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d494a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49a94a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.880000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.12994a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2b70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.883888908.0000000004D49000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.881014887.0000000002B80000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.879831053.0000000000A50000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.879916049.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.879772547.0000000000A40000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.884087885.00000000049A9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.881330354.0000000004EA9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.879852238.0000000000B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880442482.0000000001299000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878853677.0000000000870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.879036722.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878927946.0000000000880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.879010768.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.879009895.0000000000920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.880994352.0000000002B70000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.878979369.0000000000990000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000003.620315557.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.884237946.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613835753.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612905346.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612880805.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612995967.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880807454.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701819091.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.613174085.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.664565353.000000000513D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620214841.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.702016309.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613794834.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.642767964.000000000523B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.881549232.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620265495.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.635568127.0000000004E5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620243933.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613948347.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620142786.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701985470.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.679769381.0000000004C5F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.702307918.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.657340118.0000000004D5D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620475830.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701915707.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613862631.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613818747.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.884432102.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613737711.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620285363.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.613014620.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612932234.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.658506384.000000000507D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612953290.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620302187.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612852123.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701957231.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.746687116.000000000186D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.768852725.000000000176F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.686987362.000000000503F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701777888.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.702038882.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.724522780.000000000196B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.636697378.000000000517B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.681026277.0000000004F7F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.620184852.00000000053B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613707607.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.701868957.0000000001AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612982412.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613851431.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.613762692.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 7000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
Source: Yara match	File source: 5.2.rundll32.exe.2b80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4ea94a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.9f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2bb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.12994a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a60000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4ea94a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.9e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49a94a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2b80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.d80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d494a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d494a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49a94a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.880000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.12994a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2b70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.883888908.0000000004D49000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.881014887.0000000002B80000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.879831053.0000000000A50000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.879916049.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.879772547.0000000000A40000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.884087885.00000000049A9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.881330354.0000000004EA9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.879852238.0000000000B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880442482.0000000001299000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878853677.0000000000870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.879036722.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878927946.0000000000880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.879010768.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.879009895.0000000000920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.880994352.0000000002B70000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.878979369.0000000000990000.00000004.00000001.sdmp, type: MEMORY