Loading ...

Play interactive tourEdit tour

Windows Analysis Report fiHY95Y1CZ.exe

Overview

General Information

Sample Name:fiHY95Y1CZ.exe (renamed file extension from exe to dll)
Analysis ID:540821
MD5:3b7d8109b37e996e06ae68144f37a73c
SHA1:9ee1957c39834e9ea87cd72d7f09e9f08e1712d3
SHA256:53f09461a48f10c95f426cd179106cbe94fba81c498fb7414d6a849470ee777e
Tags:exegeoGoziISFBITAUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
PE file has a writeable .text section
Writes or reads registry keys via WMI
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Registers a DLL
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6620 cmdline: loaddll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6664 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6712 cmdline: rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 6700 cmdline: regsvr32.exe /s C:\Users\user\Desktop\fiHY95Y1CZ.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • rundll32.exe (PID: 6728 cmdline: rundll32.exe C:\Users\user\Desktop\fiHY95Y1CZ.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.414360466.0000000002DFF000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000006.00000002.781134724.0000000004F98000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000005.00000003.418282417.0000000004BDF000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000005.00000003.346775098.0000000004F58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.370009221.0000000002FFB000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 19 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Suspicious Call by OrdinalShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6664, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1, ProcessId: 6712

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000001.00000002.776128784.0000000000710000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: fiHY95Y1CZ.dllVirustotal: Detection: 23%Perma Link
            Source: fiHY95Y1CZ.dllReversingLabs: Detection: 37%
            Antivirus detection for URL or domainShow sources
            Source: https://berukoneru.website:4434Avira URL Cloud: Label: malware
            Source: https://berukoneru.website:443Avira URL Cloud: Label: malware
            Source: https://berukoneru.website/tire/pwsRZXEKCNadKEKqX1o9/b2Zj7hHedRFWAjDTz7_/2FOi9hvcPIf92jE5HHyv1B/OfZFAvira URL Cloud: Label: malware
            Source: https://berukoneru.website/Avira URL Cloud: Label: malware
            Source: https://berukoneru.website/tire/za2qkobGG8hjnBcNlK5rpy/DM0ZTFZcdObn9/heBYxiqA/288tZtaDdhUDDHi0oDe4mTAvira URL Cloud: Label: malware
            Source: https://berukoneru.website/nAvira URL Cloud: Label: malware
            Source: https://berukoneru.website/tire/r5QiHxjTySmGYdSO5D/jcUwjLzfU/E7ReP6jBdZthorydDqCp/VP_2FtRTEArd2s1OvUAvira URL Cloud: Label: malware
            Source: https://berukoneru.website/_Avira URL Cloud: Label: malware
            Source: https://berukoneru.website/fAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URLShow sources
            Source: berukoneru.websiteVirustotal: Detection: 9%Perma Link
            Source: gerukoneru.websiteVirustotal: Detection: 8%Perma Link
            Source: fortunarah.comVirustotal: Detection: 9%Perma Link
            Machine Learning detection for sampleShow sources
            Source: fiHY95Y1CZ.dllJoe Sandbox ML: detected
            Source: 1.2.loaddll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 4.2.regsvr32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 5.2.rundll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 6.2.rundll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: fiHY95Y1CZ.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: berukoneru.website
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 3.20.161.64 187
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: windows.update3.com
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: gerukoneru.website
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 18.219.227.107 187
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 3.12.124.139 187
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: fortunarah.com
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
            Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
            Source: unknownNetwork traffic detected: HTTP traffic on port 49926 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
            Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
            Source: unknownNetwork traffic detected: HTTP traffic on port 49929 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49893 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49901 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
            Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
            Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
            Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
            Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49902 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49897
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49896
            Source: unknownNetwork traffic detected: HTTP traffic on port 49925 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
            Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49893
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
            Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
            Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49897 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49929
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49928
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49927
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49926
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49925
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49923
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49922
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
            Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49928 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49919
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49918
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49917
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49916
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
            Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
            Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
            Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49904
            Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49903
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49902
            Source: unknownNetwork traffic detected: HTTP traffic on port 49903 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49901
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
            Source: loaddll32.exe, 00000001.00000003.391563664.00000000007FE000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmp, loaddll32.exe, 00000001.00000003.713545660.00000000007FE000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.659059165.0000000000816000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.538531416.00000000007FE000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.658990293.00000000007FE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.726928677.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.649480266.00000000007DE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.352136475.00000000007DD000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.604514487.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.441260649.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.397522414.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.373886664.00000000007DA000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.479797692.00000000007DA000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.671393257.00000000007DE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.693315999.00000000007DE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.777730381.00000000007DE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729649421.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729820019.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.524614944.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.474120676.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.419365031.00000000007DF000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://crl.globalsign.net/root.crl0
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://ocsp.digicert.com0C
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://ocsp.digicert.com0N
            Source: rundll32.exe, 00000006.00000003.568560207.0000000000833000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.649323077.0000000000833000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/Organization
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
            Source: rundll32.exe, 00000006.00000003.352095689.0000000005211000.00000004.00000001.sdmpString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
            Source: loaddll32.exe, 00000001.00000003.592813795.0000000000881000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.592855025.0000000000887000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.472113086.0000000000873000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.346748265.0000000000862000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.713588601.0000000000859000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.713545660.00000000007FE000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.482058539.0000000005EF9000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.608955593.0000000005EF9000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.731403472.0000000005EFC000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.352117976.000000000082B000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.479898288.000000000081C000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.479797692.00000000007DA000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729501485.000000000077D000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/MicrosoftEdgeDownload"
            Source: loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmpString found in binary or memory: https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respo
            Source: loaddll32.exe, 00000001.00000003.346748265.0000000000862000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.482058539.0000000005EF9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729501485.000000000077D000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729801829.000000000081E000.00000004.00000001.sdmpString found in binary or memory: https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respond-proxy.html
            Source: loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.546840107.000000000077E000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.777730381.00000000007DE000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/
            Source: loaddll32.exe, 00000001.00000003.391598549.000000000083A000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/_
            Source: rundll32.exe, 00000006.00000003.671393257.00000000007DE000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/f
            Source: rundll32.exe, 00000006.00000002.777730381.00000000007DE000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/n
            Source: loaddll32.exe, 00000001.00000002.776460108.000000000079B000.00000004.00000020.sdmpString found in binary or memory: https://berukoneru.website/tire/pwsRZXEKCNadKEKqX1o9/b2Zj7hHedRFWAjDTz7_/2FOi9hvcPIf92jE5HHyv1B/OfZF
            Source: loaddll32.exe, 00000001.00000003.391598549.000000000083A000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/r5QiHxjTySmGYdSO5D/jcUwjLzfU/E7ReP6jBdZthorydDqCp/VP_2FtRTEArd2s1OvU
            Source: rundll32.exe, 00000006.00000002.777335258.0000000000797000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/za2qkobGG8hjnBcNlK5rpy/DM0ZTFZcdObn9/heBYxiqA/288tZtaDdhUDDHi0oDe4mT
            Source: loaddll32.exe, 00000001.00000003.658945899.00000000007EA000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website:443
            Source: loaddll32.exe, 00000001.00000002.777998802.0000000000887000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website:4434
            Source: loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmpString found in binary or memory: https://c.s
            Source: rundll32.exe, 00000006.00000003.726928677.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.474120676.00000000007DF000.00000004.00000001.sdmpString found in binary or memory: https://fortunarah.com/
            Source: rundll32.exe, 00000006.00000003.474120676.00000000007DF000.00000004.00000001.sdmpString found in binary or memory: https://fortunarah.com/g
            Source: loaddll32.exe, 00000001.00000003.538576666.000000000083A000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/
            Source: loaddll32.exe, 00000001.00000003.659059165.0000000000816000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.658990293.00000000007FE000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/7
            Source: rundll32.exe, 00000006.00000003.441260649.00000000007DF000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/V
            Source: loaddll32.exe, 00000001.00000003.538576666.000000000083A000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/_
            Source: rundll32.exe, 00000006.00000003.693315999.00000000007DE000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/f
            Source: loaddll32.exe, 00000001.00000003.538576666.000000000083A000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/g
            Source: loaddll32.exe, 00000001.00000003.538576666.000000000083A000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/o
            Source: loaddll32.exe, 00000001.00000003.538445534.0000000000857000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/tire/2BC_2BBRBNFJ1PmozxxmKVd/gm6Dkla7K7/8u9w5b_2FXO_2FnQt/BMclQSrzXXf4/Rq
            Source: loaddll32.exe, 00000001.00000003.658990293.00000000007FE000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/tire/xpW7gpb7TrkZ/x1HHPi7fp9L/0D56sMwSf_2Bjl/6GWFUIy7ar_2FfABNgnCj/82C0Hf
            Source: loaddll32.exe, 00000001.00000003.713526931.00000000007EA000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.658945899.00000000007EA000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.777190196.00000000007EA000.00000004.00000020.sdmpString found in binary or memory: https://gerukoneru.website:443
            Source: rundll32.exe, 00000006.00000003.729501485.000000000077D000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.777239624.000000000077E000.00000004.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax"
            Source: rundll32.exe, 00000005.00000003.729665174.0000000004B61000.00000004.00000040.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xvsU?ver=e636"
            Source: fiHY95Y1CZ.dllString found in binary or memory: https://nodejs.org0
            Source: rundll32.exe, 00000006.00000003.352095689.0000000005211000.00000004.00000001.sdmpString found in binary or memory: https://statics-marketingsites-eus-ms-com.akamaized.net/statics/override.css
            Source: rundll32.exe, 00000006.00000003.524614944.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.419365031.00000000007DF000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/
            Source: rundll32.exe, 00000006.00000003.441260649.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.397522414.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.479797692.00000000007DA000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.474120676.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.419365031.00000000007DF000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/2
            Source: loaddll32.exe, 00000001.00000003.391563664.00000000007FE000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/Z
            Source: loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmpString found in binary or memory: https://windows.update3.com/llU
            Source: loaddll32.exe, 00000001.00000003.392575385.000000000085C000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.391598549.000000000083A000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/tire/NBe6wGJmUc0TyUzeyP/5Njlm_2FV/AnUx9J_2FMkoEzFmIRim/7MsjKW4RRjAKub2A8
            Source: loaddll32.exe, 00000001.00000003.658990293.00000000007FE000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/tire/Wt7VtJWXxvCxj/q8Hicv2m/rYOqGahqW2aY_2BSfNZT5kT/9hHx0IzQpe/vlCX_2Bqh
            Source: loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmpString found in binary or memory: https://windows.update3.com/tire/e5hjYNeWetXz_2B/Th5RGlAc56d_2FCUbi/NUhZqTgpn/_2FHcnisafGQJWYV9uWj/n
            Source: rundll32.exe, 00000006.00000002.776805911.000000000074A000.00000004.00000020.sdmpString found in binary or memory: https://windows.update3.com/tire/fPNeZGvZ_2FjPtgP/S4ORv62WOG6CqCc/RpObjfG9eDuBR7sVqh/4jcyxlUAH/kr39Z
            Source: fiHY95Y1CZ.dllString found in binary or memory: https://www.digicert.com/CPS0
            Source: fiHY95Y1CZ.dllString found in binary or memory: https://www.globalsign.com/repository/0
            Source: fiHY95Y1CZ.dllString found in binary or memory: https://www.globalsign.com/repository/03
            Source: unknownDNS traffic detected: queries for: windows.update3.com

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.414360466.0000000002DFF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.781134724.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.418282417.0000000004BDF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.346775098.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.370009221.0000000002FFB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370118981.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418476955.000000000581F000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.397818170.0000000004D1D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.370329481.0000000005A1B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.779225699.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.780149501.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.396516562.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.346831969.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.392772677.0000000002EFD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.376015691.0000000004E1B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.346931198.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.352281996.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.396552270.000000000591D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.419719832.0000000004C1F000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.780908469.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6620, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6700, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6712, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6728, type: MEMORYSTR
            Source: loaddll32.exe, 00000001.00000002.776460108.000000000079B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.414360466.0000000002DFF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.781134724.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.418282417.0000000004BDF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.346775098.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.370009221.0000000002FFB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370118981.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418476955.000000000581F000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.397818170.0000000004D1D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.370329481.0000000005A1B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.779225699.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.780149501.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.396516562.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.346831969.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.392772677.0000000002EFD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.376015691.0000000004E1B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.346931198.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.352281996.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.396552270.000000000591D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.419719832.0000000004C1F000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.780908469.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6620, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6700, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6712, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6728, type: MEMORYSTR

            System Summary:

            barindex
            PE file has a writeable .text sectionShow sources
            Source: fiHY95Y1CZ.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: fiHY95Y1CZ.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002244
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00781006
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0078B084
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00783373
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0078294D
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590DF9
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590DF7
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0346294D
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_03463373
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0346B084
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006E1006
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006EB084
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006E3373
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006E294D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740DF7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740DF9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00541006
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0054B084
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0054294D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00543373
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00720DF7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00720DF9
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001297 GetProcAddress,NtCreateSection,memset,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001E31 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002058 NtMapViewOfSection,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002465 NtQueryVirtualMemory,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00786C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0078B2A9 NtQueryVirtualMemory,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590880 NtAllocateVirtualMemory,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590ABA NtProtectVirtualMemory,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_005908B7 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_03466C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0346B2A9 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006E6C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006EB2A9 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_007408B7 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740ABA NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740880 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00546C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0054B2A9 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007208B7 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00720ABA NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00720880 NtAllocateVirtualMemory,
            Source: fiHY95Y1CZ.dllBinary or memory string: OriginalFilenameSymErr.exeT vs fiHY95Y1CZ.dll
            Source: fiHY95Y1CZ.dllBinary or memory string: OriginalFilenameNsc.exe. vs fiHY95Y1CZ.dll
            Source: fiHY95Y1CZ.dllBinary or memory string: OriginalFilenamebyInstallHelper.exe. vs fiHY95Y1CZ.dll
            Source: fiHY95Y1CZ.dllBinary or memory string: OriginalFilenameBgRegister.exe4 vs fiHY95Y1CZ.dll
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
            Source: fiHY95Y1CZ.dllStatic PE information: invalid certificate
            Source: fiHY95Y1CZ.dllVirustotal: Detection: 23%
            Source: fiHY95Y1CZ.dllReversingLabs: Detection: 37%
            Source: fiHY95Y1CZ.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\fiHY95Y1CZ.dll
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fiHY95Y1CZ.dll,DllRegisterServer
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\fiHY95Y1CZ.dll
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fiHY95Y1CZ.dll,DllRegisterServer
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
            Source: classification engineClassification label: mal100.troj.evad.winDLL@9/0@91/4
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00783309 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: fiHY95Y1CZ.dllStatic file information: File size 1776800 > 1048576
            Source: fiHY95Y1CZ.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x16fa00
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002233 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100021E0 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0078B073 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0078E97E pushad ; iretd
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0078AD40 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590A66 push edx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_005905DF push dword ptr [ebp-00000284h]; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590ECD push 1001C571h; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590BFC push dword ptr [esp+0Ch]; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590BFC push dword ptr [esp+10h]; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_005906F5 push dword ptr [ebp-00000284h]; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590880 push dword ptr [ebp-00000284h]; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590ABA push edx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_005908B7 push dword ptr [ebp-00000284h]; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_005908B7 push dword ptr [ebp-0000028Ch]; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_005908B7 push edx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_005908B7 push dword ptr [esp+10h]; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0346AD40 push ecx; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0346E97E pushad ; iretd
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0346B073 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006EB073 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006EE97E pushad ; iretd
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006EAD40 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740A66 push edx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_007406F5 push dword ptr [ebp-00000284h]; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740ECD push 1001C571h; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_007408B7 push dword ptr [ebp-00000284h]; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_007408B7 push dword ptr [ebp-0000028Ch]; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_007408B7 push edx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_007408B7 push dword ptr [esp+10h]; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740ABA push edx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001D26 LoadLibraryA,GetProcAddress,
            Source: fiHY95Y1CZ.dllStatic PE information: real checksum: 0x1b3666 should be: 0x1b9826
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\fiHY95Y1CZ.dll

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.414360466.0000000002DFF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.781134724.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.418282417.0000000004BDF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.346775098.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.370009221.0000000002FFB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370118981.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418476955.000000000581F000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.397818170.0000000004D1D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.370329481.0000000005A1B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.779225699.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.780149501.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.396516562.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.346831969.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.392772677.0000000002EFD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.376015691.0000000004E1B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.346931198.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.352281996.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.396552270.000000000591D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.419719832.0000000004C1F000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.780908469.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6620, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6700, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6712, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6728, type: MEMORYSTR
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2800Thread sleep time: -1773297476s >= -30000s
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2800Thread sleep count: 131 > 30
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6312Thread sleep time: -210000s >= -30000s
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 754
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 2057
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 423
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 1379
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 1273
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 2114
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 1316
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 881
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 519
            Source: loaddll32.exe, 00000001.00000002.776460108.000000000079B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWx
            Source: loaddll32.exe, 00000001.00000003.391563664.00000000007FE000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmp, loaddll32.exe, 00000001.00000003.713545660.00000000007FE000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.538531416.00000000007FE000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.658990293.00000000007FE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.726780006.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.601752687.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.671260223.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.419508234.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729612790.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.441407855.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.751486716.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.777634144.00000000007C9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: rundll32.exe, 00000006.00000003.726780006.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.601752687.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.671260223.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.419508234.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729612790.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.441407855.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.751486716.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.777634144.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.568624459.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.626245074.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.397624626.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.474820798.00000000007C9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.649386034.00000000007C9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWpTo=
            Source: rundll32.exe, 00000006.00000003.729512473.0000000000790000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.501682388.0000000000790000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.671371303.0000000000790000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.397669919.0000000000790000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.546877094.0000000000790000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.777298156.0000000000790000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWH
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001D26 LoadLibraryA,GetProcAddress,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590C57 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590B14 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590BFC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590CE8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_005908B7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740C57 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740CE8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_007408B7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740B14 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740BFC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00720C57 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00720CE8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007208B7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00720B14 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00720BFC mov eax, dword ptr fs:[00000030h]

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: berukoneru.website
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 3.20.161.64 187
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: windows.update3.com
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: gerukoneru.website
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 18.219.227.107 187
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 3.12.124.139 187
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: fortunarah.com
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1
            Source: loaddll32.exe, 00000001.00000002.778444156.0000000000EA0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.779417132.00000000038F0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.780211416.00000000031B0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.780551458.00000000031B0000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
            Source: loaddll32.exe, 00000001.00000002.778444156.0000000000EA0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.779417132.00000000038F0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.780211416.00000000031B0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.780551458.00000000031B0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000001.00000002.778444156.0000000000EA0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.779417132.00000000038F0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.780211416.00000000031B0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.780551458.00000000031B0000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000001.00000002.778444156.0000000000EA0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.779417132.00000000038F0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.780211416.00000000031B0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.780551458.00000000031B0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0078A303 cpuid
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001815 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100015CF CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0078A303 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.414360466.0000000002DFF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.781134724.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.418282417.0000000004BDF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.346775098.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.370009221.0000000002FFB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370118981.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418476955.000000000581F000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.397818170.0000000004D1D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.370329481.0000000005A1B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.779225699.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.780149501.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.396516562.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.346831969.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.392772677.0000000002EFD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.376015691.0000000004E1B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.346931198.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.352281996.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.396552270.000000000591D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.419719832.0000000004C1F000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.780908469.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6620, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6700, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6712, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6728, type: MEMORYSTR

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.414360466.0000000002DFF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.781134724.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.418282417.0000000004BDF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.346775098.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.370009221.0000000002FFB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370118981.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418476955.000000000581F000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.397818170.0000000004D1D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.370329481.0000000005A1B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.779225699.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.780149501.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.396516562.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.346831969.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.392772677.0000000002EFD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.376015691.0000000004E1B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.346931198.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.352281996.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.396552270.000000000591D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.419719832.0000000004C1F000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.780908469.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6620, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6700, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6712, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6728, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2DLL Side-Loading1Process Injection112Virtualization/Sandbox Evasion1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsDLL Side-Loading1Process Injection112LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Regsvr321NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery13Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 540821 Sample: fiHY95Y1CZ.exe Startdate: 16/12/2021 Architecture: WINDOWS Score: 100 24 windows.update3.com 2->24 26 gerukoneru.website 2->26 28 2 other IPs or domains 2->28 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 Antivirus detection for URL or domain 2->58 60 5 other signatures 2->60 8 loaddll32.exe 1 2->8         started        signatures3 process4 dnsIp5 36 windows.update3.com 8->36 38 gerukoneru.website 8->38 40 3 other IPs or domains 8->40 64 Writes or reads registry keys via WMI 8->64 66 Writes registry values via WMI 8->66 12 regsvr32.exe 8->12         started        16 cmd.exe 1 8->16         started        18 rundll32.exe 8->18         started        signatures6 process7 dnsIp8 42 windows.update3.com 12->42 44 gerukoneru.website 12->44 50 3 other IPs or domains 12->50 68 System process connects to network (likely due to code injection or exploit) 12->68 70 Writes or reads registry keys via WMI 12->70 72 Writes registry values via WMI 12->72 20 rundll32.exe 16->20         started        46 windows.update3.com 18->46 48 gerukoneru.website 18->48 52 4 other IPs or domains 18->52 signatures9 process10 dnsIp11 30 3.12.124.139, 443, 49856, 49858 AMAZON-02US United States 20->30 32 3.20.161.64, 443, 49779, 49782 AMAZON-02US United States 20->32 34 5 other IPs or domains 20->34 62 Writes registry values via WMI 20->62 signatures12

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            fiHY95Y1CZ.dll24%VirustotalBrowse
            fiHY95Y1CZ.dll38%ReversingLabsWin32.Infostealer.Gozi
            fiHY95Y1CZ.dll100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            4.2.regsvr32.exe.3460000.1.unpack100%AviraHEUR/AGEN.1108168Download File
            1.2.loaddll32.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
            5.2.rundll32.exe.6e0000.0.unpack100%AviraHEUR/AGEN.1108168Download File
            1.2.loaddll32.exe.780000.1.unpack100%AviraHEUR/AGEN.1108168Download File
            4.2.regsvr32.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
            5.2.rundll32.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
            6.2.rundll32.exe.540000.0.unpack100%AviraHEUR/AGEN.1108168Download File
            6.2.rundll32.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.Gen8Download File

            Domains

            SourceDetectionScannerLabelLink
            berukoneru.website10%VirustotalBrowse
            windows.update3.com0%VirustotalBrowse
            gerukoneru.website9%VirustotalBrowse
            fortunarah.com10%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://gerukoneru.website:4430%Avira URL Cloudsafe
            https://windows.update3.com/20%Avira URL Cloudsafe
            https://berukoneru.website:4434100%Avira URL Cloudmalware
            https://berukoneru.website:443100%Avira URL Cloudmalware
            https://gerukoneru.website/70%Avira URL Cloudsafe
            https://berukoneru.website/tire/pwsRZXEKCNadKEKqX1o9/b2Zj7hHedRFWAjDTz7_/2FOi9hvcPIf92jE5HHyv1B/OfZF100%Avira URL Cloudmalware
            https://windows.update3.com/0%Avira URL Cloudsafe
            https://windows.update3.com/llU0%Avira URL Cloudsafe
            https://windows.update3.com/tire/Wt7VtJWXxvCxj/q8Hicv2m/rYOqGahqW2aY_2BSfNZT5kT/9hHx0IzQpe/vlCX_2Bqh0%Avira URL Cloudsafe
            https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respond-proxy.html0%Avira URL Cloudsafe
            https://windows.update3.com/tire/fPNeZGvZ_2FjPtgP/S4ORv62WOG6CqCc/RpObjfG9eDuBR7sVqh/4jcyxlUAH/kr39Z0%Avira URL Cloudsafe
            https://fortunarah.com/0%Avira URL Cloudsafe
            https://gerukoneru.website/g0%Avira URL Cloudsafe
            https://gerukoneru.website/f0%Avira URL Cloudsafe
            https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respo0%Avira URL Cloudsafe
            https://berukoneru.website/100%Avira URL Cloudmalware
            https://windows.update3.com/tire/e5hjYNeWetXz_2B/Th5RGlAc56d_2FCUbi/NUhZqTgpn/_2FHcnisafGQJWYV9uWj/n0%Avira URL Cloudsafe
            https://berukoneru.website/tire/za2qkobGG8hjnBcNlK5rpy/DM0ZTFZcdObn9/heBYxiqA/288tZtaDdhUDDHi0oDe4mT100%Avira URL Cloudmalware
            https://gerukoneru.website/o0%Avira URL Cloudsafe
            https://gerukoneru.website/0%Avira URL Cloudsafe
            https://gerukoneru.website/tire/2BC_2BBRBNFJ1PmozxxmKVd/gm6Dkla7K7/8u9w5b_2FXO_2FnQt/BMclQSrzXXf4/Rq0%Avira URL Cloudsafe
            https://windows.update3.com/Z0%Avira URL Cloudsafe
            https://c.s0%Avira URL Cloudsafe
            https://gerukoneru.website/V0%Avira URL Cloudsafe
            https://nodejs.org00%Avira URL Cloudsafe
            https://berukoneru.website/n100%Avira URL Cloudmalware
            https://berukoneru.website/tire/r5QiHxjTySmGYdSO5D/jcUwjLzfU/E7ReP6jBdZthorydDqCp/VP_2FtRTEArd2s1OvU100%Avira URL Cloudmalware
            https://gerukoneru.website/_0%Avira URL Cloudsafe
            https://berukoneru.website/_100%Avira URL Cloudmalware
            https://fortunarah.com/g0%Avira URL Cloudsafe
            https://berukoneru.website/f100%Avira URL Cloudmalware
            https://windows.update3.com/tire/NBe6wGJmUc0TyUzeyP/5Njlm_2FV/AnUx9J_2FMkoEzFmIRim/7MsjKW4RRjAKub2A80%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
            18.219.227.107
            truefalse
              high
              berukoneru.website
              unknown
              unknowntrueunknown
              windows.update3.com
              unknown
              unknowntrueunknown
              gerukoneru.website
              unknown
              unknowntrueunknown
              fortunarah.com
              unknown
              unknowntrueunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://aka.ms/MicrosoftEdgeDownload&quot;loaddll32.exe, 00000001.00000003.592813795.0000000000881000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.592855025.0000000000887000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.472113086.0000000000873000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.346748265.0000000000862000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.713588601.0000000000859000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.713545660.00000000007FE000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.482058539.0000000005EF9000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.608955593.0000000005EF9000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.731403472.0000000005EFC000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.352117976.000000000082B000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.479898288.000000000081C000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.479797692.00000000007DA000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729501485.000000000077D000.00000004.00000001.sdmpfalse
                high
                https://gerukoneru.website:443loaddll32.exe, 00000001.00000003.713526931.00000000007EA000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.658945899.00000000007EA000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.777190196.00000000007EA000.00000004.00000020.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://windows.update3.com/2rundll32.exe, 00000006.00000003.441260649.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.397522414.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.479797692.00000000007DA000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.474120676.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.419365031.00000000007DF000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://berukoneru.website:4434loaddll32.exe, 00000001.00000002.777998802.0000000000887000.00000004.00000001.sdmptrue
                • Avira URL Cloud: malware
                unknown
                https://berukoneru.website:443loaddll32.exe, 00000001.00000003.658945899.00000000007EA000.00000004.00000001.sdmptrue
                • Avira URL Cloud: malware
                unknown
                https://gerukoneru.website/7loaddll32.exe, 00000001.00000003.659059165.0000000000816000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.658990293.00000000007FE000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://berukoneru.website/tire/pwsRZXEKCNadKEKqX1o9/b2Zj7hHedRFWAjDTz7_/2FOi9hvcPIf92jE5HHyv1B/OfZFloaddll32.exe, 00000001.00000002.776460108.000000000079B000.00000004.00000020.sdmptrue
                • Avira URL Cloud: malware
                unknown
                https://windows.update3.com/rundll32.exe, 00000006.00000003.524614944.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.419365031.00000000007DF000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://windows.update3.com/llUloaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://windows.update3.com/tire/Wt7VtJWXxvCxj/q8Hicv2m/rYOqGahqW2aY_2BSfNZT5kT/9hHx0IzQpe/vlCX_2Bqhloaddll32.exe, 00000001.00000003.658990293.00000000007FE000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsrundll32.exe, 00000006.00000003.352095689.0000000005211000.00000004.00000001.sdmpfalse
                  high
                  https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respond-proxy.htmlloaddll32.exe, 00000001.00000003.346748265.0000000000862000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.482058539.0000000005EF9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729501485.000000000077D000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729801829.000000000081E000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://windows.update3.com/tire/fPNeZGvZ_2FjPtgP/S4ORv62WOG6CqCc/RpObjfG9eDuBR7sVqh/4jcyxlUAH/kr39Zrundll32.exe, 00000006.00000002.776805911.000000000074A000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://fortunarah.com/rundll32.exe, 00000006.00000003.726928677.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.474120676.00000000007DF000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://gerukoneru.website/gloaddll32.exe, 00000001.00000003.538576666.000000000083A000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://gerukoneru.website/frundll32.exe, 00000006.00000003.693315999.00000000007DE000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respoloaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://berukoneru.website/loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.546840107.000000000077E000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.777730381.00000000007DE000.00000004.00000001.sdmptrue
                  • Avira URL Cloud: malware
                  unknown
                  https://windows.update3.com/tire/e5hjYNeWetXz_2B/Th5RGlAc56d_2FCUbi/NUhZqTgpn/_2FHcnisafGQJWYV9uWj/nloaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://berukoneru.website/tire/za2qkobGG8hjnBcNlK5rpy/DM0ZTFZcdObn9/heBYxiqA/288tZtaDdhUDDHi0oDe4mTrundll32.exe, 00000006.00000002.777335258.0000000000797000.00000004.00000001.sdmptrue
                  • Avira URL Cloud: malware
                  unknown
                  https://gerukoneru.website/oloaddll32.exe, 00000001.00000003.538576666.000000000083A000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://gerukoneru.website/loaddll32.exe, 00000001.00000003.538576666.000000000083A000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://gerukoneru.website/tire/2BC_2BBRBNFJ1PmozxxmKVd/gm6Dkla7K7/8u9w5b_2FXO_2FnQt/BMclQSrzXXf4/Rqloaddll32.exe, 00000001.00000003.538445534.0000000000857000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://windows.update3.com/Zloaddll32.exe, 00000001.00000003.391563664.00000000007FE000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://c.sloaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://gerukoneru.website/Vrundll32.exe, 00000006.00000003.441260649.00000000007DF000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://nodejs.org0fiHY95Y1CZ.dllfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://berukoneru.website/nrundll32.exe, 00000006.00000002.777730381.00000000007DE000.00000004.00000001.sdmptrue
                  • Avira URL Cloud: malware
                  unknown
                  http://schema.org/Organizationrundll32.exe, 00000006.00000003.568560207.0000000000833000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.649323077.0000000000833000.00000004.00000001.sdmpfalse
                    high
                    https://berukoneru.website/tire/r5QiHxjTySmGYdSO5D/jcUwjLzfU/E7ReP6jBdZthorydDqCp/VP_2FtRTEArd2s1OvUloaddll32.exe, 00000001.00000003.391598549.000000000083A000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: malware
                    unknown
                    https://gerukoneru.website/_loaddll32.exe, 00000001.00000003.538576666.000000000083A000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://berukoneru.website/_loaddll32.exe, 00000001.00000003.391598549.000000000083A000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: malware
                    unknown
                    https://fortunarah.com/grundll32.exe, 00000006.00000003.474120676.00000000007DF000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://berukoneru.website/frundll32.exe, 00000006.00000003.671393257.00000000007DE000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: malware
                    unknown
                    https://windows.update3.com/tire/NBe6wGJmUc0TyUzeyP/5Njlm_2FV/AnUx9J_2FMkoEzFmIRim/7MsjKW4RRjAKub2A8loaddll32.exe, 00000001.00000003.392575385.000000000085C000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.391598549.000000000083A000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    3.20.161.64
                    unknownUnited States
                    16509AMAZON-02UStrue
                    18.219.227.107
                    prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comUnited States
                    16509AMAZON-02USfalse
                    3.12.124.139
                    unknownUnited States
                    16509AMAZON-02UStrue

                    Private

                    IP
                    192.168.2.1

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:540821
                    Start date:16.12.2021
                    Start time:09:45:31
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 9m 45s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:fiHY95Y1CZ.exe (renamed file extension from exe to dll)
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:28
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.evad.winDLL@9/0@91/4
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 64% (good quality ratio 60.7%)
                    • Quality average: 78%
                    • Quality standard deviation: 29.5%
                    HCA Information:
                    • Successful, ratio: 92%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Override analysis time to 240s for rundll32
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                    • TCP Packets have been reduced to 100
                    • Excluded IPs from analysis (whitelisted): 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179, 23.211.5.92, 51.104.136.2
                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, e13678.dscb.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, www.microsoft.com-c-3.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, microsoft.com, www.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    09:47:02API Interceptor36x Sleep call for process: rundll32.exe modified
                    09:47:03API Interceptor18x Sleep call for process: regsvr32.exe modified
                    09:47:03API Interceptor19x Sleep call for process: loaddll32.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASN

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    No created / dropped files found

                    Static File Info

                    General

                    File type:MS-DOS executable, MZ for MS-DOS
                    Entropy (8bit):5.256885449705882
                    TrID:
                    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                    • Generic Win/DOS Executable (2004/3) 0.20%
                    • DOS Executable Generic (2002/1) 0.20%
                    • VXD Driver (31/22) 0.00%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:fiHY95Y1CZ.dll
                    File size:1776800
                    MD5:3b7d8109b37e996e06ae68144f37a73c
                    SHA1:9ee1957c39834e9ea87cd72d7f09e9f08e1712d3
                    SHA256:53f09461a48f10c95f426cd179106cbe94fba81c498fb7414d6a849470ee777e
                    SHA512:549f93153ae0659dfc4876cb5e7dd3b65316fe5293912bcde2828f014039e7528b854db608653296f277be6bcd1b7a725f846fdf9698390baea2b2636a7d19cc
                    SSDEEP:49152:4W58UQw8MT8UQw8MT8UQw8MT8UQw8MT8UQw8MT8UQw8MO:4O8UQw8MT8UQw8MT8UQw8MT8UQw8MT8L
                    File Content Preview:MZ......................................................................!..L.!This .ro.ra. cannot be run in DOS m.de....$.......PE..L......a...........!................................................................f6..................................P..

                    File Icon

                    Icon Hash:82b0f4c6d2c66cb1

                    Static PE Info

                    General

                    Entrypoint:0x1001c09b
                    Entrypoint Section:.text
                    Digitally signed:true
                    Imagebase:0x10000000
                    Subsystem:windows gui
                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                    DLL Characteristics:
                    Time Stamp:0x61B6D28E [Mon Dec 13 04:56:46 2021 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:05e4e1045777d757fa17eaf53eecd299

                    Authenticode Signature

                    Signature Valid:false
                    Signature Issuer:CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
                    Signature Validation Error:The digital signature of the object did not verify
                    Error Number:-2146869232
                    Not Before, Not After
                    • 10/1/2020 5:00:00 PM 12/18/2023 4:00:00 AM
                    Subject Chain
                    • CN=OpenJS Foundation, O=OpenJS Foundation, L=San Francisco, S=California, C=US
                    Version:3
                    Thumbprint MD5:8E8056A2284F0304445ED325353454BF
                    Thumbprint SHA-1:E16BB6EE4ED3935C46C356D147E811286BA4BBFE
                    Thumbprint SHA-256:968F9536C18A4475095B37792855AA62306275DEC05BD72F21653C98026CFC4E
                    Serial:038EDB2FC6E405731A760F1516144C85

                    Entrypoint Preview

                    Instruction
                    mov ebx, edi
                    or ebx, edi
                    push 10020DE5h
                    ret
                    int3
                    int3
                    push 100023C8h
                    int3
                    int3
                    int3
                    mov dword ptr [ebp-04h], esi
                    push 00000000h
                    jmp 00007F0D7CCA73DDh
                    int3
                    int3
                    xor eax, ebp
                    pop edi
                    xor esi, esi
                    int3
                    pop eax
                    int3
                    int3
                    push esi
                    push dword ptr [ebp+10h]
                    int3
                    mov dword ptr [ebp-04h], eax
                    int3
                    int3
                    int3
                    xor esi, esi
                    int3
                    int3
                    sub al, 38h
                    push 1001FCE8h
                    ret
                    int3
                    call 00007F0D7CCA1E2Fh
                    push 00000030h
                    int3
                    int3
                    int3
                    and dword ptr [ebp-08h], 00000000h
                    xor eax, eax
                    call 00007F0D7CCA1C80h
                    xor esi, esi
                    int3
                    mov ebp, esp
                    call dword ptr [1002ADACh]
                    push 100217ECh
                    ret
                    int3
                    call 00007F0D7CCA1C80h
                    pop ecx
                    ret
                    mov dword ptr fs:[00000000h], ecx
                    push dword ptr [ebp+10h]
                    int3
                    int3
                    push esi
                    pop ebx
                    mov esp, ebp
                    pop eax
                    mov esp, ebp
                    push ebx
                    push 1001C9D8h
                    ret
                    jc 00007F0D7CCA1C76h
                    jc 00007F0D7CCA1C76h
                    mov dword ptr [ebp-04h], 00000007h
                    pop ecx
                    int3
                    int3
                    int3
                    int3
                    push eax
                    int3
                    push 00000000h
                    jmp 00007F0D7CCA8137h
                    mov eax, dword ptr [ecx]
                    lea ebp, dword ptr [esp+10h]
                    jmp 00007F0D7CCA1C75h
                    mov dword ptr [ebp-18h], esp
                    int3
                    jmp dword ptr [10004074h]
                    int3
                    int3

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x1acfd0x50.text
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x470b80xb4.data
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x4e0000x16f8e8.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x1b04000x18a0.rsrc
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1be0000x670.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x2ad080x27c.data
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x286130x22000False0.518655215993data5.42328856771IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .data0x2a0000x237af0x1d200False0.0684012875536data6.13260963822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                    .rsrc0x4e0000x16f8e80x16fa00False0.2185235411data4.81723301086IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x1be0000x6700x800False0.69384765625data5.74685750781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_ICON0x51f700x668dataEnglishUnited States
                    RT_ICON0x525d80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                    RT_ICON0x528c00x1e8dataEnglishUnited States
                    RT_ICON0x52aa80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x52bd00xea8dataEnglishUnited States
                    RT_ICON0x53a780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                    RT_ICON0x543200x6c8dataEnglishUnited States
                    RT_ICON0x549e80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x54f500x25a8dataEnglishUnited States
                    RT_ICON0x574f80x10a8dataEnglishUnited States
                    RT_ICON0x585a00x988dataEnglishUnited States
                    RT_ICON0x58f280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x593900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                    RT_ICON0x6b7b80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                    RT_ICON0x703e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                    RT_ICON0x746080x25a8dataEnglishUnited States
                    RT_ICON0x76bb00x10a8dataEnglishUnited States
                    RT_ICON0x77c580xeb0dataEnglishUnited States
                    RT_ICON0x78b080x988dataEnglishUnited States
                    RT_ICON0x794900x6b8dataEnglishUnited States
                    RT_ICON0x79b480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x79fb00x668dataEnglishUnited States
                    RT_ICON0x7a6180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                    RT_ICON0x7a9000x1e8dataEnglishUnited States
                    RT_ICON0x7aae80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x7ac100xea8dataEnglishUnited States
                    RT_ICON0x7bab80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                    RT_ICON0x7c3600x6c8dataEnglishUnited States
                    RT_ICON0x7ca280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x7cf900x25a8dataEnglishUnited States
                    RT_ICON0x7f5380x10a8dataEnglishUnited States
                    RT_ICON0x805e00x988dataEnglishUnited States
                    RT_ICON0x80f680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x813d00x668dataEnglishUnited States
                    RT_ICON0x81a380x2e8dataEnglishUnited States
                    RT_ICON0x81d200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x81e480xea8dataEnglishUnited States
                    RT_ICON0x82cf00x8a8dataEnglishUnited States
                    RT_ICON0x835980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x83b000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                    RT_ICON0x880300x25a8dataEnglishUnited States
                    RT_ICON0x8a5d80x10a8dataEnglishUnited States
                    RT_ICON0x8b6800x988dataEnglishUnited States
                    RT_ICON0x8c0080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x8c4700x668dataEnglishUnited States
                    RT_ICON0x8cad80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                    RT_ICON0x8cdc00x1e8dataEnglishUnited States
                    RT_ICON0x8cfa80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x8d0d00xea8dataEnglishUnited States
                    RT_ICON0x8df780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                    RT_ICON0x8e8200x6c8dataEnglishUnited States
                    RT_ICON0x8eee80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x8f4500x25a8dataEnglishUnited States
                    RT_ICON0x919f80x10a8dataEnglishUnited States
                    RT_ICON0x92aa00x988dataEnglishUnited States
                    RT_ICON0x934280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x938900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                    RT_ICON0xa5cb80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                    RT_ICON0xaa8e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                    RT_ICON0xaeb080x25a8dataEnglishUnited States
                    RT_ICON0xb10b00x10a8dataEnglishUnited States
                    RT_ICON0xb21580xeb0dataEnglishUnited States
                    RT_ICON0xb30080x988dataEnglishUnited States
                    RT_ICON0xb39900x6b8dataEnglishUnited States
                    RT_ICON0xb40480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0xb44b00x668dataEnglishUnited States
                    RT_ICON0xb4b180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                    RT_ICON0xb4e000x1e8dataEnglishUnited States
                    RT_ICON0xb4fe80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0xb51100xea8dataEnglishUnited States
                    RT_ICON0xb5fb80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                    RT_ICON0xb68600x6c8dataEnglishUnited States
                    RT_ICON0xb6f280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0xb74900x25a8dataEnglishUnited States
                    RT_ICON0xb9a380x10a8dataEnglishUnited States
                    RT_ICON0xbaae00x988dataEnglishUnited States
                    RT_ICON0xbb4680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0xbb8d00x668dataEnglishUnited States
                    RT_ICON0xbbf380x2e8dataEnglishUnited States
                    RT_ICON0xbc2200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0xbc3480xea8dataEnglishUnited States
                    RT_ICON0xbd1f00x8a8dataEnglishUnited States
                    RT_ICON0xbda980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0xbe0000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                    RT_ICON0xc25300x25a8dataEnglishUnited States
                    RT_ICON0xc4ad80x10a8dataEnglishUnited States
                    RT_ICON0xc5b800x988dataEnglishUnited States
                    RT_ICON0xc65080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0xc69700x668dataEnglishUnited States
                    RT_ICON0xc6fd80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                    RT_ICON0xc72c00x1e8dataEnglishUnited States
                    RT_ICON0xc74a80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0xc75d00xea8dataEnglishUnited States
                    RT_ICON0xc84780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                    RT_ICON0xc8d200x6c8dataEnglishUnited States
                    RT_ICON0xc93e80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0xc99500x25a8dataEnglishUnited States
                    RT_ICON0xcbef80x10a8dataEnglishUnited States
                    RT_ICON0xccfa00x988dataEnglishUnited States
                    RT_ICON0xcd9280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0xcdd900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                    RT_ICON0xe01b80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                    RT_ICON0xe4de00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                    RT_ICON0xe90080x25a8dataEnglishUnited States
                    RT_ICON0xeb5b00x10a8dataEnglishUnited States
                    RT_ICON0xec6580xeb0dataEnglishUnited States
                    RT_ICON0xed5080x988dataEnglishUnited States
                    RT_ICON0xede900x6b8dataEnglishUnited States
                    RT_ICON0xee5480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0xee9b00x668dataEnglishUnited States
                    RT_ICON0xef0180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                    RT_ICON0xef3000x1e8dataEnglishUnited States
                    RT_ICON0xef4e80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0xef6100xea8dataEnglishUnited States
                    RT_ICON0xf04b80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                    RT_ICON0xf0d600x6c8dataEnglishUnited States
                    RT_ICON0xf14280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0xf19900x25a8dataEnglishUnited States
                    RT_ICON0xf3f380x10a8dataEnglishUnited States
                    RT_ICON0xf4fe00x988dataEnglishUnited States
                    RT_ICON0xf59680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0xf5dd00x668dataEnglishUnited States
                    RT_ICON0xf64380x2e8dataEnglishUnited States
                    RT_ICON0xf67200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0xf68480xea8dataEnglishUnited States
                    RT_ICON0xf76f00x8a8dataEnglishUnited States
                    RT_ICON0xf7f980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0xf85000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                    RT_ICON0xfca300x25a8dataEnglishUnited States
                    RT_ICON0xfefd80x10a8dataEnglishUnited States
                    RT_ICON0x1000800x988dataEnglishUnited States
                    RT_ICON0x100a080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x100e700x668dataEnglishUnited States
                    RT_ICON0x1014d80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                    RT_ICON0x1017c00x1e8dataEnglishUnited States
                    RT_ICON0x1019a80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x101ad00xea8dataEnglishUnited States
                    RT_ICON0x1029780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                    RT_ICON0x1032200x6c8dataEnglishUnited States
                    RT_ICON0x1038e80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x103e500x25a8dataEnglishUnited States
                    RT_ICON0x1063f80x10a8dataEnglishUnited States
                    RT_ICON0x1074a00x988dataEnglishUnited States
                    RT_ICON0x107e280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x1082900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                    RT_ICON0x11a6b80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                    RT_ICON0x11f2e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                    RT_ICON0x1235080x25a8dataEnglishUnited States
                    RT_ICON0x125ab00x10a8dataEnglishUnited States
                    RT_ICON0x126b580xeb0dataEnglishUnited States
                    RT_ICON0x127a080x988dataEnglishUnited States
                    RT_ICON0x1283900x6b8dataEnglishUnited States
                    RT_ICON0x128a480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x128eb00x668dataEnglishUnited States
                    RT_ICON0x1295180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                    RT_ICON0x1298000x1e8dataEnglishUnited States
                    RT_ICON0x1299e80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x129b100xea8dataEnglishUnited States
                    RT_ICON0x12a9b80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                    RT_ICON0x12b2600x6c8dataEnglishUnited States
                    RT_ICON0x12b9280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x12be900x25a8dataEnglishUnited States
                    RT_ICON0x12e4380x10a8dataEnglishUnited States
                    RT_ICON0x12f4e00x988dataEnglishUnited States
                    RT_ICON0x12fe680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x1302d00x668dataEnglishUnited States
                    RT_ICON0x1309380x2e8dataEnglishUnited States
                    RT_ICON0x130c200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x130d480xea8dataEnglishUnited States
                    RT_ICON0x131bf00x8a8dataEnglishUnited States
                    RT_ICON0x1324980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x132a000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                    RT_ICON0x136f300x25a8dataEnglishUnited States
                    RT_ICON0x1394d80x10a8dataEnglishUnited States
                    RT_ICON0x13a5800x988dataEnglishUnited States
                    RT_ICON0x13af080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x13b3700x668dataEnglishUnited States
                    RT_ICON0x13b9d80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                    RT_ICON0x13bcc00x1e8dataEnglishUnited States
                    RT_ICON0x13bea80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x13bfd00xea8dataEnglishUnited States
                    RT_ICON0x13ce780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                    RT_ICON0x13d7200x6c8dataEnglishUnited States
                    RT_ICON0x13dde80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x13e3500x25a8dataEnglishUnited States
                    RT_ICON0x1408f80x10a8dataEnglishUnited States
                    RT_ICON0x1419a00x988dataEnglishUnited States
                    RT_ICON0x1423280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x1427900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                    RT_ICON0x154bb80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                    RT_ICON0x1597e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                    RT_ICON0x15da080x25a8dataEnglishUnited States
                    RT_ICON0x15ffb00x10a8dataEnglishUnited States
                    RT_ICON0x1610580xeb0dataEnglishUnited States
                    RT_ICON0x161f080x988dataEnglishUnited States
                    RT_ICON0x1628900x6b8dataEnglishUnited States
                    RT_ICON0x162f480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x1633b00x668dataEnglishUnited States
                    RT_ICON0x163a180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                    RT_ICON0x163d000x1e8dataEnglishUnited States
                    RT_ICON0x163ee80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x1640100xea8dataEnglishUnited States
                    RT_ICON0x164eb80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                    RT_ICON0x1657600x6c8dataEnglishUnited States
                    RT_ICON0x165e280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x1663900x25a8dataEnglishUnited States
                    RT_ICON0x1689380x10a8dataEnglishUnited States
                    RT_ICON0x1699e00x988dataEnglishUnited States
                    RT_ICON0x16a3680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x16a7d00x668dataEnglishUnited States
                    RT_ICON0x16ae380x2e8dataEnglishUnited States
                    RT_ICON0x16b1200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x16b2480xea8dataEnglishUnited States
                    RT_ICON0x16c0f00x8a8dataEnglishUnited States
                    RT_ICON0x16c9980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x16cf000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                    RT_ICON0x1714300x25a8dataEnglishUnited States
                    RT_ICON0x1739d80x10a8dataEnglishUnited States
                    RT_ICON0x174a800x988dataEnglishUnited States
                    RT_ICON0x1754080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x1758700x668dataEnglishUnited States
                    RT_ICON0x175ed80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                    RT_ICON0x1761c00x1e8dataEnglishUnited States
                    RT_ICON0x1763a80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x1764d00xea8dataEnglishUnited States
                    RT_ICON0x1773780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                    RT_ICON0x177c200x6c8dataEnglishUnited States
                    RT_ICON0x1782e80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x1788500x25a8dataEnglishUnited States
                    RT_ICON0x17adf80x10a8dataEnglishUnited States
                    RT_ICON0x17bea00x988dataEnglishUnited States
                    RT_ICON0x17c8280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x17cc900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                    RT_ICON0x18f0b80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                    RT_ICON0x193ce00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                    RT_ICON0x197f080x25a8dataEnglishUnited States
                    RT_ICON0x19a4b00x10a8dataEnglishUnited States
                    RT_ICON0x19b5580xeb0dataEnglishUnited States
                    RT_ICON0x19c4080x988dataEnglishUnited States
                    RT_ICON0x19cd900x6b8dataEnglishUnited States
                    RT_ICON0x19d4480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x19d8b00x668dataEnglishUnited States
                    RT_ICON0x19df180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                    RT_ICON0x19e2000x1e8dataEnglishUnited States
                    RT_ICON0x19e3e80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x19e5100xea8dataEnglishUnited States
                    RT_ICON0x19f3b80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                    RT_ICON0x19fc600x6c8dataEnglishUnited States
                    RT_ICON0x1a03280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x1a08900x25a8dataEnglishUnited States
                    RT_ICON0x1a2e380x10a8dataEnglishUnited States
                    RT_ICON0x1a3ee00x988dataEnglishUnited States
                    RT_ICON0x1a48680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x1a4cd00x668dataEnglishUnited States
                    RT_ICON0x1a53380x2e8dataEnglishUnited States
                    RT_ICON0x1a56200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x1a57480xea8dataEnglishUnited States
                    RT_ICON0x1a65f00x8a8dataEnglishUnited States
                    RT_ICON0x1a6e980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_ICON0x1a74000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                    RT_ICON0x1ab9300x25a8dataEnglishUnited States
                    RT_ICON0x1aded80x10a8dataEnglishUnited States
                    RT_ICON0x1aef800x988dataEnglishUnited States
                    RT_ICON0x1af9080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_GROUP_ICON0x1afd700xaedataEnglishUnited States
                    RT_GROUP_ICON0x1afe200x84dataEnglishUnited States
                    RT_GROUP_ICON0x1afea40xaedataEnglishUnited States
                    RT_GROUP_ICON0x1aff540xa0dataEnglishUnited States
                    RT_GROUP_ICON0x1afff40xaedataEnglishUnited States
                    RT_GROUP_ICON0x1b00a40x84dataEnglishUnited States
                    RT_GROUP_ICON0x1b01280xaedataEnglishUnited States
                    RT_GROUP_ICON0x1b01d80xa0dataEnglishUnited States
                    RT_GROUP_ICON0x1b02780xaedataEnglishUnited States
                    RT_GROUP_ICON0x1b03280x84dataEnglishUnited States
                    RT_GROUP_ICON0x1b03ac0xaedataEnglishUnited States
                    RT_GROUP_ICON0x1b045c0xa0dataEnglishUnited States
                    RT_GROUP_ICON0x1b04fc0xaedataEnglishUnited States
                    RT_GROUP_ICON0x1b05ac0x84dataEnglishUnited States
                    RT_GROUP_ICON0x1b06300xaedataEnglishUnited States
                    RT_GROUP_ICON0x1b06e00xa0dataEnglishUnited States
                    RT_GROUP_ICON0x1b07800xaedataEnglishUnited States
                    RT_GROUP_ICON0x1b08300x84dataEnglishUnited States
                    RT_GROUP_ICON0x1b08b40xaedataEnglishUnited States
                    RT_GROUP_ICON0x1b09640xa0dataEnglishUnited States
                    RT_GROUP_ICON0x1b0a040xaedataEnglishUnited States
                    RT_GROUP_ICON0x1b0ab40x84dataEnglishUnited States
                    RT_GROUP_ICON0x1b0b380xaedataEnglishUnited States
                    RT_GROUP_ICON0x1b0be80xa0dataEnglishUnited States
                    RT_VERSION0x1b0c880x340dataEnglishUnited States
                    RT_VERSION0x1b0fc80x2f8dataEnglishUnited States
                    RT_VERSION0x1b12c00x344dataEnglishUnited States
                    RT_VERSION0x1b16040x318dataEnglishUnited States
                    RT_VERSION0x1b191c0x340dataEnglishUnited States
                    RT_VERSION0x1b1c5c0x2f8dataEnglishUnited States
                    RT_VERSION0x1b1f540x344dataEnglishUnited States
                    RT_VERSION0x1b22980x318dataEnglishUnited States
                    RT_VERSION0x1b25b00x340dataEnglishUnited States
                    RT_VERSION0x1b28f00x2f8dataEnglishUnited States
                    RT_VERSION0x1b2be80x344dataEnglishUnited States
                    RT_VERSION0x1b2f2c0x318dataEnglishUnited States
                    RT_VERSION0x1b32440x340dataEnglishUnited States
                    RT_VERSION0x1b35840x2f8dataEnglishUnited States
                    RT_VERSION0x1b387c0x344dataEnglishUnited States
                    RT_VERSION0x1b3bc00x318dataEnglishUnited States
                    RT_VERSION0x1b3ed80x340dataEnglishUnited States
                    RT_VERSION0x1b42180x2f8dataEnglishUnited States
                    RT_VERSION0x1b45100x344dataEnglishUnited States
                    RT_VERSION0x1b48540x318dataEnglishUnited States
                    RT_VERSION0x1b4b6c0x340dataEnglishUnited States
                    RT_VERSION0x1b4eac0x2f8dataEnglishUnited States
                    RT_VERSION0x1b51a40x344dataEnglishUnited States
                    RT_VERSION0x1b54e80x318dataEnglishUnited States
                    RT_MANIFEST0x1b58000x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1b5f800x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1b61c80x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1b65940x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1b6d7c0x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1b74fc0x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1b77440x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1b7b100x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1b82f80x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1b8a780x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1b8cc00x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1b908c0x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1b98740x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1b9ff40x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1ba23c0x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1ba6080x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1badf00x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1bb5700x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1bb7b80x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1bbb840x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1bc36c0x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1bcaec0x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1bcd340x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                    RT_MANIFEST0x1bd1000x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States

                    Imports

                    DLLImport
                    advapi32.dllRegCreateKeyExW, RegDeleteValueW, RegSetValueExA, RegDeleteKeyA, RegEnumValueA, RegQueryValueExA, RegCloseKey, RegOpenKeyExA, RegEnumKeyA
                    gdi32.dllSetBkMode, SelectObject, SetBkColor, CreateFontIndirectA, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetTextColor
                    kernel32.dllGetModuleHandleA, GetProcAddress, LoadLibraryA, FindNextFileA, SetFileAttributesA, CompareFileTime, CloseHandle, LoadLibraryExA, SetCurrentDirectoryA, CreateThread, Sleep, CopyFileA, GetTickCount, GlobalLock, SetFileTime, WritePrivateProfileStringA, GetTempFileNameA, SetFilePointer, lstrlenA, MultiByteToWideChar, CreateFileA, lstrcatA, MulDiv, GetModuleFileNameA, DeleteFileA, WriteFile, lstrcmpiA, ExitProcess, GetExitCodeProcess, CreateDirectoryA, lstrcpynA, WaitForSingleObject, SetErrorMode, GetFileSize, GlobalAlloc, FindClose, VirtualProtectEx, SearchPathA, GetVersion, CreateProcessA, GetSystemDirectoryA, lstrcmpA, ReadFile, GetFullPathNameA, GetCurrentDirectoryA, GetWindowsDirectoryA, GlobalFree, MoveFileA, GetDiskFreeSpaceA, GetCommandLineA, GetShortPathNameA, FindFirstFileA, FreeLibrary, RemoveDirectoryA, GetTempPathA, GetPrivateProfileStringA, GetCurrentProcess, ExpandEnvironmentStringsA, GlobalUnlock, GetLastError, GetFileAttributesA
                    ole32.dllOleUninitialize, CoTaskMemFree, CoCreateInstance, OleInitialize
                    shell32.dllSHGetSpecialFolderLocation, ShellExecuteA, SHFileOperationA, SHBrowseForFolderA, SHGetFileInfoA, SHGetPathFromIDListA
                    user32.dllSetWindowLongA, IsWindowEnabled, AppendMenuA, LoadBitmapA, EndPaint, SetWindowPos, DefWindowProcA, ShowWindow, SystemParametersInfoA, LoadCursorA, CreatePopupMenu, GetSysColor, ExitWindowsEx, DispatchMessageA, wsprintfA, RegisterClassA, DestroyWindow, ScreenToClient, CharNextA, EndDialog, GetSystemMetrics, DrawTextA, EnableMenuItem, CreateDialogParamA, GetDC, CharPrevA, GetMessagePos, FindWindowExA, SendMessageTimeoutA, CreateWindowExA, GetDlgItemTextA, GetSystemMenu, LoadImageA, SetWindowTextA, EmptyClipboard, InvalidateRect, GetWindowLongA, CheckDlgButton, SetDlgItemTextA, SetClipboardData, FillRect, OpenClipboard, GetWindowRect, IsWindow, MessageBoxIndirectA, BeginPaint, IsWindowVisible, SetCursor, EnableWindow, DialogBoxParamA, PostQuitMessage, TrackPopupMenu, SetClassLongA, GetClientRect, SetForegroundWindow, SendMessageA, CloseClipboard
                    version.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                    Exports

                    NameOrdinalAddress
                    DllRegisterServer10x1001d45c

                    Version Infos

                    DescriptionData
                    LegalCopyrightCopyright 2016 Symantec Corporation. All rights reserved.
                    InternalNameSymErr
                    FileVersion7.6.2.5
                    CompanyNameSymantec Corporation
                    ProductNameSymantec Shared Component
                    ProductVersion7.6
                    FileDescriptionSymantec Error Reporting
                    OriginalFilenameSymErr.exe
                    Translation0x0409 0x04b0

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Snort IDS Alerts

                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    12/16/21-09:48:04.909243ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:48:06.443354ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:48:07.457320ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:48:08.496291ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:48:10.177155ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:49:01.472370ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:49:02.539281ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:49:06.405672ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:49:07.484648ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:49:08.675917ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:49:11.266525ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:49:57.574727ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:49:59.580242ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:50:00.602049ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:50:05.088933ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:50:06.169872ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:50:08.187515ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                    12/16/21-09:50:08.812572ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Dec 16, 2021 09:47:27.100218058 CET49778443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.100289106 CET4434977818.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.100368977 CET49778443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.100939989 CET49778443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.100954056 CET4434977818.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.149362087 CET49779443192.168.2.73.20.161.64
                    Dec 16, 2021 09:47:27.149394989 CET443497793.20.161.64192.168.2.7
                    Dec 16, 2021 09:47:27.149586916 CET49779443192.168.2.73.20.161.64
                    Dec 16, 2021 09:47:27.150409937 CET49779443192.168.2.73.20.161.64
                    Dec 16, 2021 09:47:27.150424957 CET443497793.20.161.64192.168.2.7
                    Dec 16, 2021 09:47:27.246618032 CET49780443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.246654034 CET4434978018.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.246778965 CET49780443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.247344971 CET49780443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.247361898 CET4434978018.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.249102116 CET4434977818.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.250370979 CET49781443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.250407934 CET4434978118.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.250519037 CET49781443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.251287937 CET49781443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.251306057 CET4434978118.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.299268961 CET443497793.20.161.64192.168.2.7
                    Dec 16, 2021 09:47:27.300725937 CET49782443192.168.2.73.20.161.64
                    Dec 16, 2021 09:47:27.300777912 CET443497823.20.161.64192.168.2.7
                    Dec 16, 2021 09:47:27.301008940 CET49782443192.168.2.73.20.161.64
                    Dec 16, 2021 09:47:27.302093029 CET49782443192.168.2.73.20.161.64
                    Dec 16, 2021 09:47:27.302120924 CET443497823.20.161.64192.168.2.7
                    Dec 16, 2021 09:47:27.395606041 CET4434978018.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.397231102 CET49783443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.397270918 CET4434978318.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.397381067 CET49783443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.398216009 CET49783443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.398235083 CET4434978318.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.399370909 CET4434978118.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.400723934 CET49784443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.400748014 CET4434978418.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.400891066 CET49784443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.401633024 CET49784443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.401649952 CET4434978418.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.450956106 CET443497823.20.161.64192.168.2.7
                    Dec 16, 2021 09:47:27.452037096 CET49785443192.168.2.73.20.161.64
                    Dec 16, 2021 09:47:27.452088118 CET443497853.20.161.64192.168.2.7
                    Dec 16, 2021 09:47:27.452183008 CET49785443192.168.2.73.20.161.64
                    Dec 16, 2021 09:47:27.452692032 CET49785443192.168.2.73.20.161.64
                    Dec 16, 2021 09:47:27.452707052 CET443497853.20.161.64192.168.2.7
                    Dec 16, 2021 09:47:27.546606064 CET4434978318.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.548146009 CET49786443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.548183918 CET4434978618.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.548283100 CET49786443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.549448013 CET4434978418.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.549674034 CET49786443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.549698114 CET4434978618.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.550810099 CET49787443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.550843954 CET4434978718.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.550932884 CET49787443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.552242041 CET49787443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.552259922 CET4434978718.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.601489067 CET443497853.20.161.64192.168.2.7
                    Dec 16, 2021 09:47:27.602624893 CET49788443192.168.2.73.20.161.64
                    Dec 16, 2021 09:47:27.602679968 CET443497883.20.161.64192.168.2.7
                    Dec 16, 2021 09:47:27.602771044 CET49788443192.168.2.73.20.161.64
                    Dec 16, 2021 09:47:27.603632927 CET49788443192.168.2.73.20.161.64
                    Dec 16, 2021 09:47:27.603663921 CET443497883.20.161.64192.168.2.7
                    Dec 16, 2021 09:47:27.697577953 CET4434978618.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.699625015 CET49789443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.699676037 CET4434978918.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.699815035 CET49789443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.700284958 CET4434978718.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.700881004 CET49789443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:27.700913906 CET4434978918.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:27.752491951 CET443497883.20.161.64192.168.2.7
                    Dec 16, 2021 09:47:27.849462986 CET4434978918.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:29.905601978 CET49791443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:29.905664921 CET4434979118.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:29.905766964 CET49791443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:29.906440020 CET49791443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:29.906467915 CET4434979118.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:30.054735899 CET4434979118.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:30.055824995 CET49792443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:30.055866957 CET4434979218.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:30.055951118 CET49792443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:30.056612015 CET49792443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:30.056634903 CET4434979218.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:30.204569101 CET4434979218.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:30.205724955 CET49793443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:30.205775023 CET4434979318.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:30.205923080 CET49793443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:30.206387997 CET49793443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:30.206418037 CET4434979318.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:30.354130983 CET4434979318.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:30.355756044 CET49794443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:30.355794907 CET4434979418.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:30.355875969 CET49794443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:30.356673002 CET49794443192.168.2.718.219.227.107
                    Dec 16, 2021 09:47:30.356686115 CET4434979418.219.227.107192.168.2.7
                    Dec 16, 2021 09:47:30.504743099 CET4434979418.219.227.107192.168.2.7
                    Dec 16, 2021 09:48:25.602668047 CET49850443192.168.2.73.20.161.64
                    Dec 16, 2021 09:48:25.602713108 CET443498503.20.161.64192.168.2.7
                    Dec 16, 2021 09:48:25.602794886 CET49850443192.168.2.73.20.161.64
                    Dec 16, 2021 09:48:25.603508949 CET49850443192.168.2.73.20.161.64

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Dec 16, 2021 09:47:26.971112967 CET6429653192.168.2.78.8.8.8
                    Dec 16, 2021 09:47:27.025146961 CET5668053192.168.2.78.8.8.8
                    Dec 16, 2021 09:47:27.097388029 CET53642968.8.8.8192.168.2.7
                    Dec 16, 2021 09:47:27.116242886 CET5882053192.168.2.78.8.8.8
                    Dec 16, 2021 09:47:27.145597935 CET53566808.8.8.8192.168.2.7
                    Dec 16, 2021 09:47:27.244956970 CET53588208.8.8.8192.168.2.7
                    Dec 16, 2021 09:47:29.785082102 CET4924753192.168.2.78.8.8.8
                    Dec 16, 2021 09:47:29.904055119 CET53492478.8.8.8192.168.2.7
                    Dec 16, 2021 09:47:38.298553944 CET5606453192.168.2.78.8.8.8
                    Dec 16, 2021 09:47:38.320662022 CET53560648.8.8.8192.168.2.7
                    Dec 16, 2021 09:47:39.982805967 CET6374453192.168.2.78.8.8.8
                    Dec 16, 2021 09:47:40.004465103 CET53637448.8.8.8192.168.2.7
                    Dec 16, 2021 09:47:40.068403006 CET6145753192.168.2.78.8.8.8
                    Dec 16, 2021 09:47:40.085695982 CET53614578.8.8.8192.168.2.7
                    Dec 16, 2021 09:47:40.651721001 CET5836753192.168.2.78.8.8.8
                    Dec 16, 2021 09:47:40.673250914 CET53583678.8.8.8192.168.2.7
                    Dec 16, 2021 09:47:48.375288963 CET5957153192.168.2.78.8.8.8
                    Dec 16, 2021 09:47:48.396979094 CET53595718.8.8.8192.168.2.7
                    Dec 16, 2021 09:47:50.203558922 CET5268953192.168.2.78.8.8.8
                    Dec 16, 2021 09:47:50.224988937 CET53526898.8.8.8192.168.2.7
                    Dec 16, 2021 09:47:50.295247078 CET5029053192.168.2.78.8.8.8
                    Dec 16, 2021 09:47:50.316543102 CET53502908.8.8.8192.168.2.7
                    Dec 16, 2021 09:47:50.872693062 CET6042753192.168.2.78.8.8.8
                    Dec 16, 2021 09:47:50.893662930 CET53604278.8.8.8192.168.2.7
                    Dec 16, 2021 09:47:58.879478931 CET5620953192.168.2.78.8.8.8
                    Dec 16, 2021 09:47:59.893799067 CET5620953192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:00.414546013 CET5917953192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:00.504049063 CET6092753192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:00.940325975 CET5620953192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:01.073736906 CET6202653192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:01.426948071 CET5917953192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:01.519082069 CET6092753192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:02.081192017 CET6202653192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:02.440943003 CET5917953192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:02.549933910 CET6092753192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:03.003319979 CET5620953192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:03.112885952 CET6202653192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:03.895652056 CET53562098.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:04.471956968 CET5917953192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:04.566345930 CET6092753192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:04.909097910 CET53562098.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:04.976258993 CET53562098.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:05.159606934 CET6202653192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:05.430758953 CET53591798.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:05.521769047 CET53609278.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:06.091595888 CET53620268.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:06.443227053 CET53591798.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:06.536413908 CET53609278.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:07.100347042 CET53620268.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:07.457132101 CET53591798.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:07.567496061 CET53609278.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:08.018371105 CET53562098.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:08.130769968 CET53620268.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:08.496167898 CET53591798.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:08.603629112 CET53609278.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:10.177064896 CET53620268.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:25.470429897 CET5009553192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:25.599142075 CET53500958.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:29.107110977 CET5965453192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:29.128571987 CET53596548.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:29.184900999 CET5823353192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:29.203954935 CET53582338.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:30.256908894 CET5682253192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:30.273638964 CET53568228.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:36.246262074 CET6257253192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:36.262774944 CET53625728.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:39.935625076 CET5717953192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:39.954916954 CET53571798.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:40.069211006 CET5612453192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:40.087718010 CET53561248.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:41.136293888 CET6228753192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:41.154951096 CET53622878.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:46.405317068 CET5464453192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:46.421927929 CET53546448.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:50.170628071 CET5915953192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:50.187510967 CET53591598.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:50.291120052 CET5792453192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:50.311907053 CET53579248.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:51.356180906 CET5171253192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:51.377249002 CET53517128.8.8.8192.168.2.7
                    Dec 16, 2021 09:48:56.451184988 CET6433753192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:57.445242882 CET6433753192.168.2.78.8.8.8
                    Dec 16, 2021 09:48:58.507932901 CET6433753192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:00.340672970 CET5040753192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:00.439784050 CET6107553192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:00.475156069 CET53643378.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:01.382004023 CET5040753192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:01.458255053 CET6107553192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:01.470026970 CET53643378.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:02.081366062 CET5495253192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:02.381783962 CET5040753192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:02.460206985 CET6107553192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:02.532615900 CET53643378.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:03.095551014 CET5495253192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:04.153434038 CET5495253192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:04.385709047 CET5040753192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:04.515564919 CET6107553192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:05.361011982 CET53504078.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:05.444638014 CET53610758.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:06.249155998 CET5495253192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:06.399498940 CET53504078.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:06.476315022 CET53610758.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:06.533787966 CET53504078.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:07.102721930 CET53549528.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:07.477535963 CET53610758.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:08.113522053 CET53549528.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:08.675761938 CET53610758.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:08.724967003 CET53504078.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:09.171401978 CET53549528.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:11.266437054 CET53549528.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:21.756612062 CET5864853192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:21.775130033 CET53586488.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:27.348459005 CET5933753192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:27.365381002 CET53593378.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:27.611932039 CET5926953192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:27.630573988 CET53592698.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:29.548809052 CET4980253192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:29.565855026 CET53498028.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:32.417371988 CET5070653192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:32.438484907 CET53507068.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:38.161843061 CET5515353192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:38.184230089 CET53551538.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:38.606929064 CET5974453192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:38.625797987 CET53597448.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:40.319984913 CET5998753192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:40.340465069 CET53599878.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:42.488115072 CET6127253192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:42.505004883 CET53612728.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:48.380752087 CET6069653192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:48.399806023 CET53606968.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:48.800364017 CET5913953192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:48.817127943 CET53591398.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:50.501629114 CET5956553192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:50.523742914 CET53595658.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:52.549086094 CET5639753192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:53.546605110 CET5639753192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:54.562756062 CET5639753192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:56.563133955 CET5639753192.168.2.78.8.8.8
                    Dec 16, 2021 09:49:56.711815119 CET53563978.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:57.574570894 CET53563978.8.8.8192.168.2.7
                    Dec 16, 2021 09:49:59.580099106 CET53563978.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:00.069917917 CET5281853192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:00.135617018 CET5423653192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:00.601974010 CET53563978.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:00.643827915 CET5469853192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:01.063044071 CET5281853192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:01.125665903 CET5423653192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:01.642425060 CET5469853192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:02.125401020 CET5281853192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:02.141103983 CET5423653192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:02.656879902 CET5469853192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:04.095603943 CET53528188.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:04.156891108 CET5423653192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:04.167093039 CET53542368.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:04.657082081 CET5469853192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:04.671138048 CET53546988.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:05.088732958 CET53528188.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:05.149595022 CET53542368.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:05.668211937 CET53546988.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:06.166713953 CET53542368.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:06.672385931 CET53528188.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:06.683897972 CET53546988.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:08.187335968 CET53542368.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:08.812439919 CET53546988.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:18.062139988 CET5401253192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:18.082094908 CET53540128.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:25.743124962 CET6368453192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:25.759835958 CET53636848.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:25.761929035 CET6291253192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:25.877816916 CET53629128.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:26.500143051 CET6080453192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:26.517128944 CET53608048.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:28.723965883 CET6013953192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:28.742445946 CET53601398.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:36.390099049 CET5914053192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:36.409636021 CET53591408.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:36.496087074 CET5090553192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:36.514867067 CET53509058.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:37.139866114 CET5338153192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:37.158690929 CET53533818.8.8.8192.168.2.7
                    Dec 16, 2021 09:50:38.758304119 CET5439053192.168.2.78.8.8.8
                    Dec 16, 2021 09:50:38.777276039 CET53543908.8.8.8192.168.2.7

                    ICMP Packets

                    TimestampSource IPDest IPChecksumCodeType
                    Dec 16, 2021 09:48:04.909243107 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:48:06.443353891 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:48:07.457319975 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:48:08.496290922 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:48:10.177155018 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:49:01.472369909 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:49:02.539280891 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:49:06.405672073 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:49:07.484647989 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:49:08.675916910 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:49:11.266525030 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:49:57.574727058 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:49:59.580241919 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:50:00.602049112 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:50:05.088932991 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:50:06.169872046 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:50:08.187515020 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                    Dec 16, 2021 09:50:08.812572002 CET192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                    Dec 16, 2021 09:47:26.971112967 CET192.168.2.78.8.8.80xdee2Standard query (0)windows.update3.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:27.025146961 CET192.168.2.78.8.8.80xa486Standard query (0)windows.update3.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:27.116242886 CET192.168.2.78.8.8.80x1b94Standard query (0)windows.update3.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:29.785082102 CET192.168.2.78.8.8.80x17cdStandard query (0)windows.update3.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:38.298553944 CET192.168.2.78.8.8.80xd69eStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:39.982805967 CET192.168.2.78.8.8.80x33eStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:40.068403006 CET192.168.2.78.8.8.80x556bStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:40.651721001 CET192.168.2.78.8.8.80xf460Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:48.375288963 CET192.168.2.78.8.8.80xd5c1Standard query (0)gerukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:50.203558922 CET192.168.2.78.8.8.80xf9d6Standard query (0)gerukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:50.295247078 CET192.168.2.78.8.8.80x5d1aStandard query (0)gerukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:50.872693062 CET192.168.2.78.8.8.80x1d10Standard query (0)gerukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:58.879478931 CET192.168.2.78.8.8.80x549Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:59.893799067 CET192.168.2.78.8.8.80x549Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:00.414546013 CET192.168.2.78.8.8.80xab7Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:00.504049063 CET192.168.2.78.8.8.80x66cStandard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:00.940325975 CET192.168.2.78.8.8.80x549Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:01.073736906 CET192.168.2.78.8.8.80x21ceStandard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:01.426948071 CET192.168.2.78.8.8.80xab7Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:01.519082069 CET192.168.2.78.8.8.80x66cStandard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:02.081192017 CET192.168.2.78.8.8.80x21ceStandard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:02.440943003 CET192.168.2.78.8.8.80xab7Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:02.549933910 CET192.168.2.78.8.8.80x66cStandard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:03.003319979 CET192.168.2.78.8.8.80x549Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:03.112885952 CET192.168.2.78.8.8.80x21ceStandard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:04.471956968 CET192.168.2.78.8.8.80xab7Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:04.566345930 CET192.168.2.78.8.8.80x66cStandard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:05.159606934 CET192.168.2.78.8.8.80x21ceStandard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:25.470429897 CET192.168.2.78.8.8.80x982bStandard query (0)windows.update3.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:29.107110977 CET192.168.2.78.8.8.80xc765Standard query (0)windows.update3.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:29.184900999 CET192.168.2.78.8.8.80x89a2Standard query (0)windows.update3.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:30.256908894 CET192.168.2.78.8.8.80xe5edStandard query (0)windows.update3.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:36.246262074 CET192.168.2.78.8.8.80xe4c8Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:39.935625076 CET192.168.2.78.8.8.80x9240Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:40.069211006 CET192.168.2.78.8.8.80x76c9Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:41.136293888 CET192.168.2.78.8.8.80x19afStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:46.405317068 CET192.168.2.78.8.8.80xc45dStandard query (0)gerukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:50.170628071 CET192.168.2.78.8.8.80xebe7Standard query (0)gerukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:50.291120052 CET192.168.2.78.8.8.80x4c5bStandard query (0)gerukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:51.356180906 CET192.168.2.78.8.8.80x34dStandard query (0)gerukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:56.451184988 CET192.168.2.78.8.8.80x3fa2Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:57.445242882 CET192.168.2.78.8.8.80x3fa2Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:58.507932901 CET192.168.2.78.8.8.80x3fa2Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:00.340672970 CET192.168.2.78.8.8.80x2fa4Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:00.439784050 CET192.168.2.78.8.8.80x417Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:01.382004023 CET192.168.2.78.8.8.80x2fa4Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:01.458255053 CET192.168.2.78.8.8.80x417Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:02.081366062 CET192.168.2.78.8.8.80x9171Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:02.381783962 CET192.168.2.78.8.8.80x2fa4Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:02.460206985 CET192.168.2.78.8.8.80x417Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:03.095551014 CET192.168.2.78.8.8.80x9171Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:04.153434038 CET192.168.2.78.8.8.80x9171Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:04.385709047 CET192.168.2.78.8.8.80x2fa4Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:04.515564919 CET192.168.2.78.8.8.80x417Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:06.249155998 CET192.168.2.78.8.8.80x9171Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:21.756612062 CET192.168.2.78.8.8.80xdbc6Standard query (0)windows.update3.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:27.348459005 CET192.168.2.78.8.8.80x6ccdStandard query (0)windows.update3.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:27.611932039 CET192.168.2.78.8.8.80x2241Standard query (0)windows.update3.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:29.548809052 CET192.168.2.78.8.8.80xea0dStandard query (0)windows.update3.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:32.417371988 CET192.168.2.78.8.8.80x502cStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:38.161843061 CET192.168.2.78.8.8.80x1aa0Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:38.606929064 CET192.168.2.78.8.8.80x4afaStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:40.319984913 CET192.168.2.78.8.8.80x4e94Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:42.488115072 CET192.168.2.78.8.8.80xc53dStandard query (0)gerukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:48.380752087 CET192.168.2.78.8.8.80x21afStandard query (0)gerukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:48.800364017 CET192.168.2.78.8.8.80x22d5Standard query (0)gerukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:50.501629114 CET192.168.2.78.8.8.80x7772Standard query (0)gerukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:52.549086094 CET192.168.2.78.8.8.80x209aStandard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:53.546605110 CET192.168.2.78.8.8.80x209aStandard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:54.562756062 CET192.168.2.78.8.8.80x209aStandard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:56.563133955 CET192.168.2.78.8.8.80x209aStandard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:00.069917917 CET192.168.2.78.8.8.80xf718Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:00.135617018 CET192.168.2.78.8.8.80xbe5aStandard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:00.643827915 CET192.168.2.78.8.8.80xc354Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:01.063044071 CET192.168.2.78.8.8.80xf718Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:01.125665903 CET192.168.2.78.8.8.80xbe5aStandard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:01.642425060 CET192.168.2.78.8.8.80xc354Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:02.125401020 CET192.168.2.78.8.8.80xf718Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:02.141103983 CET192.168.2.78.8.8.80xbe5aStandard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:02.656879902 CET192.168.2.78.8.8.80xc354Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:04.156891108 CET192.168.2.78.8.8.80xbe5aStandard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:04.657082081 CET192.168.2.78.8.8.80xc354Standard query (0)fortunarah.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:18.062139988 CET192.168.2.78.8.8.80xc34Standard query (0)windows.update3.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:25.743124962 CET192.168.2.78.8.8.80xb203Standard query (0)windows.update3.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:25.761929035 CET192.168.2.78.8.8.80x5b02Standard query (0)windows.update3.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:26.500143051 CET192.168.2.78.8.8.80x8bceStandard query (0)windows.update3.comA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:28.723965883 CET192.168.2.78.8.8.80x2d41Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:36.390099049 CET192.168.2.78.8.8.80x72dbStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:36.496087074 CET192.168.2.78.8.8.80xdc47Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:37.139866114 CET192.168.2.78.8.8.80x7816Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:38.758304119 CET192.168.2.78.8.8.80xcec3Standard query (0)gerukoneru.websiteA (IP address)IN (0x0001)

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                    Dec 16, 2021 09:47:27.097388029 CET8.8.8.8192.168.2.70xdee2No error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    Dec 16, 2021 09:47:27.097388029 CET8.8.8.8192.168.2.70xdee2No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:27.097388029 CET8.8.8.8192.168.2.70xdee2No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:27.097388029 CET8.8.8.8192.168.2.70xdee2No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:27.145597935 CET8.8.8.8192.168.2.70xa486No error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    Dec 16, 2021 09:47:27.145597935 CET8.8.8.8192.168.2.70xa486No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:27.145597935 CET8.8.8.8192.168.2.70xa486No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:27.145597935 CET8.8.8.8192.168.2.70xa486No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:27.244956970 CET8.8.8.8192.168.2.70x1b94No error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    Dec 16, 2021 09:47:27.244956970 CET8.8.8.8192.168.2.70x1b94No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:27.244956970 CET8.8.8.8192.168.2.70x1b94No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:27.244956970 CET8.8.8.8192.168.2.70x1b94No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:29.904055119 CET8.8.8.8192.168.2.70x17cdNo error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    Dec 16, 2021 09:47:29.904055119 CET8.8.8.8192.168.2.70x17cdNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:29.904055119 CET8.8.8.8192.168.2.70x17cdNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:29.904055119 CET8.8.8.8192.168.2.70x17cdNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:38.320662022 CET8.8.8.8192.168.2.70xd69eName error (3)berukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:40.004465103 CET8.8.8.8192.168.2.70x33eName error (3)berukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:40.085695982 CET8.8.8.8192.168.2.70x556bName error (3)berukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:40.673250914 CET8.8.8.8192.168.2.70xf460Name error (3)berukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:48.396979094 CET8.8.8.8192.168.2.70xd5c1Name error (3)gerukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:50.224988937 CET8.8.8.8192.168.2.70xf9d6Name error (3)gerukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:50.316543102 CET8.8.8.8192.168.2.70x5d1aName error (3)gerukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:47:50.893662930 CET8.8.8.8192.168.2.70x1d10Name error (3)gerukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:03.895652056 CET8.8.8.8192.168.2.70x549Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:04.909097910 CET8.8.8.8192.168.2.70x549Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:04.976258993 CET8.8.8.8192.168.2.70x549Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:05.430758953 CET8.8.8.8192.168.2.70xab7Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:05.521769047 CET8.8.8.8192.168.2.70x66cServer failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:06.091595888 CET8.8.8.8192.168.2.70x21ceServer failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:06.443227053 CET8.8.8.8192.168.2.70xab7Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:06.536413908 CET8.8.8.8192.168.2.70x66cServer failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:07.100347042 CET8.8.8.8192.168.2.70x21ceServer failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:07.457132101 CET8.8.8.8192.168.2.70xab7Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:07.567496061 CET8.8.8.8192.168.2.70x66cServer failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:08.018371105 CET8.8.8.8192.168.2.70x549Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:08.130769968 CET8.8.8.8192.168.2.70x21ceServer failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:08.496167898 CET8.8.8.8192.168.2.70xab7Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:08.603629112 CET8.8.8.8192.168.2.70x66cServer failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:10.177064896 CET8.8.8.8192.168.2.70x21ceServer failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:25.599142075 CET8.8.8.8192.168.2.70x982bNo error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    Dec 16, 2021 09:48:25.599142075 CET8.8.8.8192.168.2.70x982bNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:25.599142075 CET8.8.8.8192.168.2.70x982bNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:25.599142075 CET8.8.8.8192.168.2.70x982bNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:29.128571987 CET8.8.8.8192.168.2.70xc765No error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    Dec 16, 2021 09:48:29.128571987 CET8.8.8.8192.168.2.70xc765No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:29.128571987 CET8.8.8.8192.168.2.70xc765No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:29.128571987 CET8.8.8.8192.168.2.70xc765No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:29.203954935 CET8.8.8.8192.168.2.70x89a2No error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    Dec 16, 2021 09:48:29.203954935 CET8.8.8.8192.168.2.70x89a2No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:29.203954935 CET8.8.8.8192.168.2.70x89a2No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:29.203954935 CET8.8.8.8192.168.2.70x89a2No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:30.273638964 CET8.8.8.8192.168.2.70xe5edNo error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    Dec 16, 2021 09:48:30.273638964 CET8.8.8.8192.168.2.70xe5edNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:30.273638964 CET8.8.8.8192.168.2.70xe5edNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:30.273638964 CET8.8.8.8192.168.2.70xe5edNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:36.262774944 CET8.8.8.8192.168.2.70xe4c8Name error (3)berukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:39.954916954 CET8.8.8.8192.168.2.70x9240Name error (3)berukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:40.087718010 CET8.8.8.8192.168.2.70x76c9Name error (3)berukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:41.154951096 CET8.8.8.8192.168.2.70x19afName error (3)berukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:46.421927929 CET8.8.8.8192.168.2.70xc45dName error (3)gerukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:50.187510967 CET8.8.8.8192.168.2.70xebe7Name error (3)gerukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:50.311907053 CET8.8.8.8192.168.2.70x4c5bName error (3)gerukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:48:51.377249002 CET8.8.8.8192.168.2.70x34dName error (3)gerukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:00.475156069 CET8.8.8.8192.168.2.70x3fa2Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:01.470026970 CET8.8.8.8192.168.2.70x3fa2Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:02.532615900 CET8.8.8.8192.168.2.70x3fa2Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:05.361011982 CET8.8.8.8192.168.2.70x2fa4Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:05.444638014 CET8.8.8.8192.168.2.70x417Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:06.399498940 CET8.8.8.8192.168.2.70x2fa4Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:06.476315022 CET8.8.8.8192.168.2.70x417Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:06.533787966 CET8.8.8.8192.168.2.70x2fa4Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:07.102721930 CET8.8.8.8192.168.2.70x9171Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:07.477535963 CET8.8.8.8192.168.2.70x417Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:08.113522053 CET8.8.8.8192.168.2.70x9171Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:08.675761938 CET8.8.8.8192.168.2.70x417Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:08.724967003 CET8.8.8.8192.168.2.70x2fa4Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:09.171401978 CET8.8.8.8192.168.2.70x9171Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:11.266437054 CET8.8.8.8192.168.2.70x9171Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:21.775130033 CET8.8.8.8192.168.2.70xdbc6No error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    Dec 16, 2021 09:49:21.775130033 CET8.8.8.8192.168.2.70xdbc6No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:21.775130033 CET8.8.8.8192.168.2.70xdbc6No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:21.775130033 CET8.8.8.8192.168.2.70xdbc6No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:27.365381002 CET8.8.8.8192.168.2.70x6ccdNo error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    Dec 16, 2021 09:49:27.365381002 CET8.8.8.8192.168.2.70x6ccdNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:27.365381002 CET8.8.8.8192.168.2.70x6ccdNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:27.365381002 CET8.8.8.8192.168.2.70x6ccdNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:27.630573988 CET8.8.8.8192.168.2.70x2241No error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    Dec 16, 2021 09:49:27.630573988 CET8.8.8.8192.168.2.70x2241No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:27.630573988 CET8.8.8.8192.168.2.70x2241No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:27.630573988 CET8.8.8.8192.168.2.70x2241No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:29.565855026 CET8.8.8.8192.168.2.70xea0dNo error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    Dec 16, 2021 09:49:29.565855026 CET8.8.8.8192.168.2.70xea0dNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:29.565855026 CET8.8.8.8192.168.2.70xea0dNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:29.565855026 CET8.8.8.8192.168.2.70xea0dNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:32.438484907 CET8.8.8.8192.168.2.70x502cName error (3)berukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:38.184230089 CET8.8.8.8192.168.2.70x1aa0Name error (3)berukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:38.625797987 CET8.8.8.8192.168.2.70x4afaName error (3)berukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:40.340465069 CET8.8.8.8192.168.2.70x4e94Name error (3)berukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:42.505004883 CET8.8.8.8192.168.2.70xc53dName error (3)gerukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:48.399806023 CET8.8.8.8192.168.2.70x21afName error (3)gerukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:48.817127943 CET8.8.8.8192.168.2.70x22d5Name error (3)gerukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:50.523742914 CET8.8.8.8192.168.2.70x7772Name error (3)gerukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:56.711815119 CET8.8.8.8192.168.2.70x209aServer failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:57.574570894 CET8.8.8.8192.168.2.70x209aServer failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:49:59.580099106 CET8.8.8.8192.168.2.70x209aServer failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:00.601974010 CET8.8.8.8192.168.2.70x209aServer failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:04.095603943 CET8.8.8.8192.168.2.70xf718Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:04.167093039 CET8.8.8.8192.168.2.70xbe5aServer failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:04.671138048 CET8.8.8.8192.168.2.70xc354Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:05.088732958 CET8.8.8.8192.168.2.70xf718Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:05.149595022 CET8.8.8.8192.168.2.70xbe5aServer failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:05.668211937 CET8.8.8.8192.168.2.70xc354Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:06.166713953 CET8.8.8.8192.168.2.70xbe5aServer failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:06.672385931 CET8.8.8.8192.168.2.70xf718Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:06.683897972 CET8.8.8.8192.168.2.70xc354Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:08.187335968 CET8.8.8.8192.168.2.70xbe5aServer failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:08.812439919 CET8.8.8.8192.168.2.70xc354Server failure (2)fortunarah.comnonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:18.082094908 CET8.8.8.8192.168.2.70xc34No error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    Dec 16, 2021 09:50:18.082094908 CET8.8.8.8192.168.2.70xc34No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:18.082094908 CET8.8.8.8192.168.2.70xc34No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:18.082094908 CET8.8.8.8192.168.2.70xc34No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:25.759835958 CET8.8.8.8192.168.2.70xb203No error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    Dec 16, 2021 09:50:25.759835958 CET8.8.8.8192.168.2.70xb203No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:25.759835958 CET8.8.8.8192.168.2.70xb203No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:25.759835958 CET8.8.8.8192.168.2.70xb203No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:25.877816916 CET8.8.8.8192.168.2.70x5b02No error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    Dec 16, 2021 09:50:25.877816916 CET8.8.8.8192.168.2.70x5b02No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:25.877816916 CET8.8.8.8192.168.2.70x5b02No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:25.877816916 CET8.8.8.8192.168.2.70x5b02No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:26.517128944 CET8.8.8.8192.168.2.70x8bceNo error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    Dec 16, 2021 09:50:26.517128944 CET8.8.8.8192.168.2.70x8bceNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:26.517128944 CET8.8.8.8192.168.2.70x8bceNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:26.517128944 CET8.8.8.8192.168.2.70x8bceNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:28.742445946 CET8.8.8.8192.168.2.70x2d41Name error (3)berukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:36.409636021 CET8.8.8.8192.168.2.70x72dbName error (3)berukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:36.514867067 CET8.8.8.8192.168.2.70xdc47Name error (3)berukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:37.158690929 CET8.8.8.8192.168.2.70x7816Name error (3)berukoneru.websitenonenoneA (IP address)IN (0x0001)
                    Dec 16, 2021 09:50:38.777276039 CET8.8.8.8192.168.2.70xcec3Name error (3)gerukoneru.websitenonenoneA (IP address)IN (0x0001)

                    Code Manipulations

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Start time:09:46:29
                    Start date:16/12/2021
                    Path:C:\Windows\System32\loaddll32.exe
                    Wow64 process (32bit):true
                    Commandline:loaddll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll"
                    Imagebase:0xae0000
                    File size:116736 bytes
                    MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.414360466.0000000002DFF000.00000004.00000040.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.370009221.0000000002FFB000.00000004.00000040.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.779225699.0000000003178000.00000004.00000040.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.346831969.0000000003178000.00000004.00000040.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.392772677.0000000002EFD000.00000004.00000040.sdmp, Author: Joe Security
                    Reputation:moderate

                    General

                    Start time:09:46:30
                    Start date:16/12/2021
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1
                    Imagebase:0x870000
                    File size:232960 bytes
                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Start time:09:46:30
                    Start date:16/12/2021
                    Path:C:\Windows\SysWOW64\regsvr32.exe
                    Wow64 process (32bit):true
                    Commandline:regsvr32.exe /s C:\Users\user\Desktop\fiHY95Y1CZ.dll
                    Imagebase:0xe80000
                    File size:20992 bytes
                    MD5 hash:426E7499F6A7346F0410DEAD0805586B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.418476955.000000000581F000.00000004.00000040.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.370329481.0000000005A1B000.00000004.00000040.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000002.780149501.0000000005B98000.00000004.00000040.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.346931198.0000000005B98000.00000004.00000040.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.396552270.000000000591D000.00000004.00000040.sdmp, Author: Joe Security
                    Reputation:high

                    General

                    Start time:09:46:30
                    Start date:16/12/2021
                    Path:C:\Windows\SysWOW64\rundll32.exe
                    Wow64 process (32bit):true
                    Commandline:rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1
                    Imagebase:0x1190000
                    File size:61952 bytes
                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.418282417.0000000004BDF000.00000004.00000040.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.346775098.0000000004F58000.00000004.00000040.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.370118981.0000000004DDB000.00000004.00000040.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.396516562.0000000004CDD000.00000004.00000040.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000002.780908469.0000000004F58000.00000004.00000040.sdmp, Author: Joe Security
                    Reputation:high

                    General

                    Start time:09:46:30
                    Start date:16/12/2021
                    Path:C:\Windows\SysWOW64\rundll32.exe
                    Wow64 process (32bit):true
                    Commandline:rundll32.exe C:\Users\user\Desktop\fiHY95Y1CZ.dll,DllRegisterServer
                    Imagebase:0x1190000
                    File size:61952 bytes
                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000002.781134724.0000000004F98000.00000004.00000040.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.397818170.0000000004D1D000.00000004.00000040.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.376015691.0000000004E1B000.00000004.00000040.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.352281996.0000000004F98000.00000004.00000040.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.419719832.0000000004C1F000.00000004.00000040.sdmp, Author: Joe Security
                    Reputation:high

                    Disassembly

                    Code Analysis

                    Reset < >