Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
resources.dll

Overview

General Information

Sample name:resources.dll
Analysis ID:1565896
MD5:e758e07113016aca55d9eda2b0ffeebe
SHA1:8c1e63a01148e20085d418c0b23021bc5eca0709
SHA256:2597322a49a6252445ca4c8d713320b238113b3b8fd8a2d6fc1088a5934cee0e
Infos:

Detection

DanaBot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
AI detected suspicious sample
May use the Tor software to hide its network traffic
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries information about the installed CPU (vendor, model number etc)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Spawned By Uncommon Parent Process
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5824 cmdline: loaddll32.exe "C:\Users\user\Desktop\resources.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6192 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\resources.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 5276 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2876 cmdline: rundll32.exe C:\Users\user\Desktop\resources.dll,CIrNTzBaPkppGNf MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7116 cmdline: rundll32.exe C:\Users\user\Desktop\resources.dll,CZnIUAAeJ MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6104 cmdline: rundll32.exe C:\Users\user\Desktop\resources.dll,FxJWXdx MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1020 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",CIrNTzBaPkppGNf MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7164 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",CZnIUAAeJ MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2608 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",FxJWXdx MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7140 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",yVmJFl MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7056 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",ukniOqaVKgeX MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1576 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",uMRRtkuQVecTfq MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3292 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",start MD5: 889B99C52A60DD49227C5E485A016679)
      • schtasks.exe (PID: 3852 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)
      • schtasks.exe (PID: 4676 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5064 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)
      • schtasks.exe (PID: 4296 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 1252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 428 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 2000 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3992 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 3840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6480 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 1480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3724 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 1776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6584 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6020 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 3780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 676 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 1580 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 2356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 1292 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",rtVNQhSpgienExR MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1784 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",nkYPRlgSTnlUkuDTW MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4724 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",jERKotJBwfw MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6784 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",iBZHcoeoarRd MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7100 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",ZfDMgndWxjR MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5860 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",UAyCqwHRBMHCdHlVz MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 616 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",SOdCGqnNtDWyDo MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3852 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",NpZatICsK MD5: 889B99C52A60DD49227C5E485A016679)
      • conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 4256 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",LKSMdMaTT MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5772 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",IYfRriwGvbgbXBXReH MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5064 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",HipXGmygXapBRYfa MD5: 889B99C52A60DD49227C5E485A016679)
      • conhost.exe (PID: 1708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 612 cmdline: rundll32.exe "C:\Users\user\Desktop\resources.dll",GbmgwMEzKpXc MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DanaBotProofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
  • SCULLY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000003.2300245046.000000007E010000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
    0000000E.00000003.2300636587.000000007EA30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
      0000000E.00000003.2303355956.000000007D920000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
        0000000E.00000003.2295319581.0000000005ED0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          Process Memory Space: rundll32.exe PID: 3292JoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            14.3.rundll32.exe.5ed0000.0.raw.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

              Sigma Signatures

              Sigma detected: Conhost Spawned By Uncommon Parent Process
              Source: Process startedAuthor: Tim Rauch: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\resources.dll",NpZatICsK, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 3852, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 5064, ProcessName: conhost.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-01T00:09:02.819612+010020344651Malware Command and Control Activity Detected192.168.2.54983462.173.146.41443TCP
              2024-12-01T00:09:02.878724+010020344651Malware Command and Control Activity Detected192.168.2.549835195.133.88.98443TCP
              2024-12-01T00:09:02.952006+010020344651Malware Command and Control Activity Detected192.168.2.54983631.41.244.38443TCP
              2024-12-01T00:09:03.003098+010020344651Malware Command and Control Activity Detected192.168.2.54983762.173.146.41443TCP
              2024-12-01T00:09:13.537112+010020344651Malware Command and Control Activity Detected192.168.2.54987062.173.146.41443TCP
              2024-12-01T00:09:13.696546+010020344651Malware Command and Control Activity Detected192.168.2.549871195.133.88.98443TCP
              2024-12-01T00:09:13.762133+010020344651Malware Command and Control Activity Detected192.168.2.54987231.41.244.38443TCP
              2024-12-01T00:09:13.826067+010020344651Malware Command and Control Activity Detected192.168.2.54987362.173.146.41443TCP
              2024-12-01T00:09:18.215931+010020344651Malware Command and Control Activity Detected192.168.2.54988962.173.146.41443TCP
              2024-12-01T00:09:18.271579+010020344651Malware Command and Control Activity Detected192.168.2.549890195.133.88.98443TCP
              2024-12-01T00:09:18.333810+010020344651Malware Command and Control Activity Detected192.168.2.54989131.41.244.38443TCP
              2024-12-01T00:09:18.396207+010020344651Malware Command and Control Activity Detected192.168.2.54989262.173.146.41443TCP
              2024-12-01T00:09:22.779536+010020344651Malware Command and Control Activity Detected192.168.2.54990762.173.146.41443TCP
              2024-12-01T00:09:22.856236+010020344651Malware Command and Control Activity Detected192.168.2.549908195.133.88.98443TCP
              2024-12-01T00:09:22.959695+010020344651Malware Command and Control Activity Detected192.168.2.54990931.41.244.38443TCP
              2024-12-01T00:09:23.049514+010020344651Malware Command and Control Activity Detected192.168.2.54991062.173.146.41443TCP
              2024-12-01T00:09:25.544776+010020344651Malware Command and Control Activity Detected192.168.2.54992162.173.146.41443TCP
              2024-12-01T00:09:25.610236+010020344651Malware Command and Control Activity Detected192.168.2.549922195.133.88.98443TCP
              2024-12-01T00:09:25.693378+010020344651Malware Command and Control Activity Detected192.168.2.54992331.41.244.38443TCP
              2024-12-01T00:09:25.761817+010020344651Malware Command and Control Activity Detected192.168.2.54992562.173.146.41443TCP
              2024-12-01T00:09:28.185063+010020344651Malware Command and Control Activity Detected192.168.2.54993562.173.146.41443TCP
              2024-12-01T00:09:28.248932+010020344651Malware Command and Control Activity Detected192.168.2.549936195.133.88.98443TCP
              2024-12-01T00:09:28.304225+010020344651Malware Command and Control Activity Detected192.168.2.54993831.41.244.38443TCP
              2024-12-01T00:09:28.362779+010020344651Malware Command and Control Activity Detected192.168.2.54993962.173.146.41443TCP
              2024-12-01T00:09:32.748603+010020344651Malware Command and Control Activity Detected192.168.2.54995462.173.146.41443TCP
              2024-12-01T00:09:32.823807+010020344651Malware Command and Control Activity Detected192.168.2.549955195.133.88.98443TCP
              2024-12-01T00:09:32.913321+010020344651Malware Command and Control Activity Detected192.168.2.54995731.41.244.38443TCP
              2024-12-01T00:09:32.994235+010020344651Malware Command and Control Activity Detected192.168.2.54995862.173.146.41443TCP
              2024-12-01T00:09:35.789624+010020344651Malware Command and Control Activity Detected192.168.2.54996962.173.146.41443TCP
              2024-12-01T00:09:35.863245+010020344651Malware Command and Control Activity Detected192.168.2.549971195.133.88.98443TCP
              2024-12-01T00:09:36.028261+010020344651Malware Command and Control Activity Detected192.168.2.54997231.41.244.38443TCP
              2024-12-01T00:09:36.105354+010020344651Malware Command and Control Activity Detected192.168.2.54997362.173.146.41443TCP
              2024-12-01T00:09:38.609015+010020344651Malware Command and Control Activity Detected192.168.2.54998362.173.146.41443TCP
              2024-12-01T00:09:38.675828+010020344651Malware Command and Control Activity Detected192.168.2.549984195.133.88.98443TCP
              2024-12-01T00:09:38.787561+010020344651Malware Command and Control Activity Detected192.168.2.54998531.41.244.38443TCP
              2024-12-01T00:09:38.853084+010020344651Malware Command and Control Activity Detected192.168.2.54998662.173.146.41443TCP
              2024-12-01T00:09:43.287721+010020344651Malware Command and Control Activity Detected192.168.2.55000162.173.146.41443TCP
              2024-12-01T00:09:43.360262+010020344651Malware Command and Control Activity Detected192.168.2.550002195.133.88.98443TCP
              2024-12-01T00:09:43.419675+010020344651Malware Command and Control Activity Detected192.168.2.55000331.41.244.38443TCP
              2024-12-01T00:09:43.489110+010020344651Malware Command and Control Activity Detected192.168.2.55000462.173.146.41443TCP
              2024-12-01T00:09:45.912082+010020344651Malware Command and Control Activity Detected192.168.2.55001462.173.146.41443TCP
              2024-12-01T00:09:45.992172+010020344651Malware Command and Control Activity Detected192.168.2.550015195.133.88.98443TCP
              2024-12-01T00:09:46.064975+010020344651Malware Command and Control Activity Detected192.168.2.55001631.41.244.38443TCP
              2024-12-01T00:09:46.135875+010020344651Malware Command and Control Activity Detected192.168.2.55001762.173.146.41443TCP
              2024-12-01T00:09:48.540563+010020344651Malware Command and Control Activity Detected192.168.2.55002762.173.146.41443TCP
              2024-12-01T00:09:48.613478+010020344651Malware Command and Control Activity Detected192.168.2.550028195.133.88.98443TCP
              2024-12-01T00:09:48.698836+010020344651Malware Command and Control Activity Detected192.168.2.55002931.41.244.38443TCP
              2024-12-01T00:09:48.810247+010020344651Malware Command and Control Activity Detected192.168.2.55003162.173.146.41443TCP
              2024-12-01T00:09:53.250236+010020344651Malware Command and Control Activity Detected192.168.2.55004762.173.146.41443TCP
              2024-12-01T00:09:53.354231+010020344651Malware Command and Control Activity Detected192.168.2.550049195.133.88.98443TCP
              2024-12-01T00:09:53.442234+010020344651Malware Command and Control Activity Detected192.168.2.55005031.41.244.38443TCP
              2024-12-01T00:09:53.526237+010020344651Malware Command and Control Activity Detected192.168.2.55005162.173.146.41443TCP
              2024-12-01T00:09:56.085836+010020344651Malware Command and Control Activity Detected192.168.2.55006162.173.146.41443TCP
              2024-12-01T00:09:56.214598+010020344651Malware Command and Control Activity Detected192.168.2.550064195.133.88.98443TCP
              2024-12-01T00:09:56.373770+010020344651Malware Command and Control Activity Detected192.168.2.55006531.41.244.38443TCP
              2024-12-01T00:09:56.473696+010020344651Malware Command and Control Activity Detected192.168.2.55006662.173.146.41443TCP
              2024-12-01T00:09:58.854232+010020344651Malware Command and Control Activity Detected192.168.2.55007662.173.146.41443TCP
              2024-12-01T00:09:59.927429+010020344651Malware Command and Control Activity Detected192.168.2.550077195.133.88.98443TCP
              2024-12-01T00:09:59.992501+010020344651Malware Command and Control Activity Detected192.168.2.55008031.41.244.38443TCP
              2024-12-01T00:10:00.077437+010020344651Malware Command and Control Activity Detected192.168.2.55008162.173.146.41443TCP
              2024-12-01T00:10:04.747642+010020344651Malware Command and Control Activity Detected192.168.2.55009562.173.146.41443TCP
              2024-12-01T00:10:04.812605+010020344651Malware Command and Control Activity Detected192.168.2.550096195.133.88.98443TCP
              2024-12-01T00:10:04.893710+010020344651Malware Command and Control Activity Detected192.168.2.55009831.41.244.38443TCP
              2024-12-01T00:10:04.952718+010020344651Malware Command and Control Activity Detected192.168.2.55009962.173.146.41443TCP
              2024-12-01T00:10:07.286229+010020344651Malware Command and Control Activity Detected192.168.2.55010862.173.146.41443TCP
              2024-12-01T00:10:07.373403+010020344651Malware Command and Control Activity Detected192.168.2.550110195.133.88.98443TCP
              2024-12-01T00:10:07.437746+010020344651Malware Command and Control Activity Detected192.168.2.55011231.41.244.38443TCP
              2024-12-01T00:10:07.487026+010020344651Malware Command and Control Activity Detected192.168.2.55011362.173.146.41443TCP
              2024-12-01T00:10:09.762245+010020344651Malware Command and Control Activity Detected192.168.2.55012262.173.146.41443TCP
              2024-12-01T00:10:09.816523+010020344651Malware Command and Control Activity Detected192.168.2.550123195.133.88.98443TCP
              2024-12-01T00:10:09.906997+010020344651Malware Command and Control Activity Detected192.168.2.55012431.41.244.38443TCP
              2024-12-01T00:10:09.955126+010020344651Malware Command and Control Activity Detected192.168.2.55012762.173.146.41443TCP
              2024-12-01T00:10:14.453347+010020344651Malware Command and Control Activity Detected192.168.2.55013362.173.146.41443TCP
              2024-12-01T00:10:14.530095+010020344651Malware Command and Control Activity Detected192.168.2.550134195.133.88.98443TCP
              2024-12-01T00:10:14.601659+010020344651Malware Command and Control Activity Detected192.168.2.55013531.41.244.38443TCP
              2024-12-01T00:10:14.656589+010020344651Malware Command and Control Activity Detected192.168.2.55013662.173.146.41443TCP
              2024-12-01T00:10:16.969602+010020344651Malware Command and Control Activity Detected192.168.2.55014162.173.146.41443TCP
              2024-12-01T00:10:17.034291+010020344651Malware Command and Control Activity Detected192.168.2.550142195.133.88.98443TCP
              2024-12-01T00:10:17.080482+010020344651Malware Command and Control Activity Detected192.168.2.55014331.41.244.38443TCP
              2024-12-01T00:10:17.149760+010020344651Malware Command and Control Activity Detected192.168.2.55014462.173.146.41443TCP
              2024-12-01T00:10:19.860519+010020344651Malware Command and Control Activity Detected192.168.2.55014962.173.146.41443TCP
              2024-12-01T00:10:19.969984+010020344651Malware Command and Control Activity Detected192.168.2.550150195.133.88.98443TCP
              2024-12-01T00:10:20.043951+010020344651Malware Command and Control Activity Detected192.168.2.55015131.41.244.38443TCP
              2024-12-01T00:10:20.123532+010020344651Malware Command and Control Activity Detected192.168.2.55015262.173.146.41443TCP
              2024-12-01T00:10:24.917613+010020344651Malware Command and Control Activity Detected192.168.2.55015762.173.146.41443TCP
              2024-12-01T00:10:25.997143+010020344651Malware Command and Control Activity Detected192.168.2.550158195.133.88.98443TCP
              2024-12-01T00:10:26.097262+010020344651Malware Command and Control Activity Detected192.168.2.55015931.41.244.38443TCP
              2024-12-01T00:10:26.175896+010020344651Malware Command and Control Activity Detected192.168.2.55016062.173.146.41443TCP
              2024-12-01T00:10:28.671750+010020344651Malware Command and Control Activity Detected192.168.2.55016562.173.146.41443TCP
              2024-12-01T00:10:28.746685+010020344651Malware Command and Control Activity Detected192.168.2.550166195.133.88.98443TCP
              2024-12-01T00:10:28.814961+010020344651Malware Command and Control Activity Detected192.168.2.55016731.41.244.38443TCP
              2024-12-01T00:10:28.876278+010020344651Malware Command and Control Activity Detected192.168.2.55016862.173.146.41443TCP
              2024-12-01T00:10:31.206942+010020344651Malware Command and Control Activity Detected192.168.2.55017362.173.146.41443TCP
              2024-12-01T00:10:31.256567+010020344651Malware Command and Control Activity Detected192.168.2.550174195.133.88.98443TCP
              2024-12-01T00:10:31.306177+010020344651Malware Command and Control Activity Detected192.168.2.55017531.41.244.38443TCP
              2024-12-01T00:10:32.397813+010020344651Malware Command and Control Activity Detected192.168.2.55017662.173.146.41443TCP
              2024-12-01T00:10:36.722564+010020344651Malware Command and Control Activity Detected192.168.2.55018162.173.146.41443TCP
              2024-12-01T00:10:36.775511+010020344651Malware Command and Control Activity Detected192.168.2.550182195.133.88.98443TCP
              2024-12-01T00:10:36.869228+010020344651Malware Command and Control Activity Detected192.168.2.55018331.41.244.38443TCP
              2024-12-01T00:10:36.982308+010020344651Malware Command and Control Activity Detected192.168.2.55018462.173.146.41443TCP
              2024-12-01T00:10:39.861862+010020344651Malware Command and Control Activity Detected192.168.2.55018962.173.146.41443TCP
              2024-12-01T00:10:39.934229+010020344651Malware Command and Control Activity Detected192.168.2.550190195.133.88.98443TCP
              2024-12-01T00:10:39.994362+010020344651Malware Command and Control Activity Detected192.168.2.55019131.41.244.38443TCP
              2024-12-01T00:10:40.102229+010020344651Malware Command and Control Activity Detected192.168.2.55019262.173.146.41443TCP
              2024-12-01T00:10:43.436457+010020344651Malware Command and Control Activity Detected192.168.2.55019762.173.146.41443TCP
              2024-12-01T00:10:43.496405+010020344651Malware Command and Control Activity Detected192.168.2.550198195.133.88.98443TCP
              2024-12-01T00:10:43.585780+010020344651Malware Command and Control Activity Detected192.168.2.55019931.41.244.38443TCP
              2024-12-01T00:10:43.642229+010020344651Malware Command and Control Activity Detected192.168.2.55020062.173.146.41443TCP
              2024-12-01T00:10:47.968645+010020344651Malware Command and Control Activity Detected192.168.2.55020562.173.146.41443TCP
              2024-12-01T00:10:48.047887+010020344651Malware Command and Control Activity Detected192.168.2.550206195.133.88.98443TCP
              2024-12-01T00:10:48.100335+010020344651Malware Command and Control Activity Detected192.168.2.55020731.41.244.38443TCP
              2024-12-01T00:10:48.148232+010020344651Malware Command and Control Activity Detected192.168.2.55020862.173.146.41443TCP
              2024-12-01T00:10:51.585398+010020344651Malware Command and Control Activity Detected192.168.2.55021362.173.146.41443TCP
              2024-12-01T00:10:51.708722+010020344651Malware Command and Control Activity Detected192.168.2.550214195.133.88.98443TCP
              2024-12-01T00:10:51.769017+010020344651Malware Command and Control Activity Detected192.168.2.55021531.41.244.38443TCP
              2024-12-01T00:10:51.835300+010020344651Malware Command and Control Activity Detected192.168.2.55021662.173.146.41443TCP
              2024-12-01T00:10:54.173009+010020344651Malware Command and Control Activity Detected192.168.2.55022162.173.146.41443TCP
              2024-12-01T00:10:54.232277+010020344651Malware Command and Control Activity Detected192.168.2.550222195.133.88.98443TCP
              2024-12-01T00:10:55.302062+010020344651Malware Command and Control Activity Detected192.168.2.55022331.41.244.38443TCP
              2024-12-01T00:10:55.364365+010020344651Malware Command and Control Activity Detected192.168.2.55022462.173.146.41443TCP
              2024-12-01T00:10:59.747709+010020344651Malware Command and Control Activity Detected192.168.2.55022962.173.146.41443TCP
              2024-12-01T00:10:59.803311+010020344651Malware Command and Control Activity Detected192.168.2.550230195.133.88.98443TCP
              2024-12-01T00:10:59.852934+010020344651Malware Command and Control Activity Detected192.168.2.55023131.41.244.38443TCP
              2024-12-01T00:10:59.896974+010020344651Malware Command and Control Activity Detected192.168.2.55023262.173.146.41443TCP
              2024-12-01T00:11:02.184768+010020344651Malware Command and Control Activity Detected192.168.2.55023762.173.146.41443TCP
              2024-12-01T00:11:02.235182+010020344651Malware Command and Control Activity Detected192.168.2.550238195.133.88.98443TCP
              2024-12-01T00:11:02.282837+010020344651Malware Command and Control Activity Detected192.168.2.55023931.41.244.38443TCP
              2024-12-01T00:11:02.339097+010020344651Malware Command and Control Activity Detected192.168.2.55024062.173.146.41443TCP
              2024-12-01T00:11:05.763520+010020344651Malware Command and Control Activity Detected192.168.2.55024562.173.146.41443TCP
              2024-12-01T00:11:05.857670+010020344651Malware Command and Control Activity Detected192.168.2.550246195.133.88.98443TCP
              2024-12-01T00:11:05.961270+010020344651Malware Command and Control Activity Detected192.168.2.55024731.41.244.38443TCP
              2024-12-01T00:11:06.044359+010020344651Malware Command and Control Activity Detected192.168.2.55024862.173.146.41443TCP
              2024-12-01T00:11:10.694620+010020344651Malware Command and Control Activity Detected192.168.2.55025362.173.146.41443TCP
              2024-12-01T00:11:10.751292+010020344651Malware Command and Control Activity Detected192.168.2.550254195.133.88.98443TCP
              2024-12-01T00:11:10.814232+010020344651Malware Command and Control Activity Detected192.168.2.55025531.41.244.38443TCP
              2024-12-01T00:11:10.869632+010020344651Malware Command and Control Activity Detected192.168.2.55025662.173.146.41443TCP
              2024-12-01T00:11:14.718399+010020344651Malware Command and Control Activity Detected192.168.2.55026162.173.146.41443TCP
              2024-12-01T00:11:14.766239+010020344651Malware Command and Control Activity Detected192.168.2.550262195.133.88.98443TCP
              2024-12-01T00:11:14.826229+010020344651Malware Command and Control Activity Detected192.168.2.55026331.41.244.38443TCP
              2024-12-01T00:11:15.908992+010020344651Malware Command and Control Activity Detected192.168.2.55026462.173.146.41443TCP
              2024-12-01T00:11:18.210050+010020344651Malware Command and Control Activity Detected192.168.2.55026962.173.146.41443TCP
              2024-12-01T00:11:18.274249+010020344651Malware Command and Control Activity Detected192.168.2.550270195.133.88.98443TCP
              2024-12-01T00:11:18.353913+010020344651Malware Command and Control Activity Detected192.168.2.55027131.41.244.38443TCP
              2024-12-01T00:11:18.417126+010020344651Malware Command and Control Activity Detected192.168.2.55027262.173.146.41443TCP
              2024-12-01T00:11:22.778231+010020344651Malware Command and Control Activity Detected192.168.2.55027762.173.146.41443TCP
              2024-12-01T00:11:22.824358+010020344651Malware Command and Control Activity Detected192.168.2.550278195.133.88.98443TCP
              2024-12-01T00:11:22.875248+010020344651Malware Command and Control Activity Detected192.168.2.55027931.41.244.38443TCP
              2024-12-01T00:11:22.927122+010020344651Malware Command and Control Activity Detected192.168.2.55028062.173.146.41443TCP
              2024-12-01T00:11:25.378638+010020344651Malware Command and Control Activity Detected192.168.2.55028562.173.146.41443TCP
              2024-12-01T00:11:25.451253+010020344651Malware Command and Control Activity Detected192.168.2.550286195.133.88.98443TCP
              2024-12-01T00:11:25.546556+010020344651Malware Command and Control Activity Detected192.168.2.55028731.41.244.38443TCP
              2024-12-01T00:11:25.614748+010020344651Malware Command and Control Activity Detected192.168.2.55028862.173.146.41443TCP
              2024-12-01T00:11:27.953442+010020344651Malware Command and Control Activity Detected192.168.2.55029362.173.146.41443TCP
              2024-12-01T00:11:28.002232+010020344651Malware Command and Control Activity Detected192.168.2.550294195.133.88.98443TCP
              2024-12-01T00:11:28.050228+010020344651Malware Command and Control Activity Detected192.168.2.55029531.41.244.38443TCP
              2024-12-01T00:11:28.094885+010020344651Malware Command and Control Activity Detected192.168.2.55029662.173.146.41443TCP
              2024-12-01T00:11:32.482227+010020344651Malware Command and Control Activity Detected192.168.2.55030162.173.146.41443TCP
              2024-12-01T00:11:32.528909+010020344651Malware Command and Control Activity Detected192.168.2.550302195.133.88.98443TCP
              2024-12-01T00:11:32.590227+010020344651Malware Command and Control Activity Detected192.168.2.55030331.41.244.38443TCP
              2024-12-01T00:11:32.642228+010020344651Malware Command and Control Activity Detected192.168.2.55030462.173.146.41443TCP
              2024-12-01T00:11:34.975547+010020344651Malware Command and Control Activity Detected192.168.2.55030962.173.146.41443TCP
              2024-12-01T00:11:35.035740+010020344651Malware Command and Control Activity Detected192.168.2.550310195.133.88.98443TCP
              2024-12-01T00:11:35.112722+010020344651Malware Command and Control Activity Detected192.168.2.55031131.41.244.38443TCP
              2024-12-01T00:11:35.198550+010020344651Malware Command and Control Activity Detected192.168.2.55031262.173.146.41443TCP
              2024-12-01T00:11:37.633108+010020344651Malware Command and Control Activity Detected192.168.2.55031762.173.146.41443TCP
              2024-12-01T00:11:37.774658+010020344651Malware Command and Control Activity Detected192.168.2.550318195.133.88.98443TCP
              2024-12-01T00:11:37.835742+010020344651Malware Command and Control Activity Detected192.168.2.55031931.41.244.38443TCP
              2024-12-01T00:11:37.902782+010020344651Malware Command and Control Activity Detected192.168.2.55032062.173.146.41443TCP
              2024-12-01T00:11:43.477777+010020344651Malware Command and Control Activity Detected192.168.2.55032562.173.146.41443TCP
              2024-12-01T00:11:43.572168+010020344651Malware Command and Control Activity Detected192.168.2.550326195.133.88.98443TCP
              2024-12-01T00:11:43.650358+010020344651Malware Command and Control Activity Detected192.168.2.55032731.41.244.38443TCP
              2024-12-01T00:11:43.728685+010020344651Malware Command and Control Activity Detected192.168.2.55032862.173.146.41443TCP
              2024-12-01T00:11:47.155748+010020344651Malware Command and Control Activity Detected192.168.2.55033362.173.146.41443TCP
              2024-12-01T00:11:47.221850+010020344651Malware Command and Control Activity Detected192.168.2.550334195.133.88.98443TCP
              2024-12-01T00:11:47.305340+010020344651Malware Command and Control Activity Detected192.168.2.55033531.41.244.38443TCP
              2024-12-01T00:11:47.393856+010020344651Malware Command and Control Activity Detected192.168.2.55033662.173.146.41443TCP
              2024-12-01T00:11:49.869097+010020344651Malware Command and Control Activity Detected192.168.2.55034162.173.146.41443TCP
              2024-12-01T00:11:49.947729+010020344651Malware Command and Control Activity Detected192.168.2.550342195.133.88.98443TCP
              2024-12-01T00:11:50.032547+010020344651Malware Command and Control Activity Detected192.168.2.55034331.41.244.38443TCP
              2024-12-01T00:11:50.096478+010020344651Malware Command and Control Activity Detected192.168.2.55034462.173.146.41443TCP
              2024-12-01T00:11:54.425801+010020344651Malware Command and Control Activity Detected192.168.2.55034962.173.146.41443TCP
              2024-12-01T00:11:54.471702+010020344651Malware Command and Control Activity Detected192.168.2.550350195.133.88.98443TCP
              2024-12-01T00:11:54.535835+010020344651Malware Command and Control Activity Detected192.168.2.55035131.41.244.38443TCP
              2024-12-01T00:11:54.598363+010020344651Malware Command and Control Activity Detected192.168.2.55035262.173.146.41443TCP
              2024-12-01T00:11:57.559203+010020344651Malware Command and Control Activity Detected192.168.2.55035762.173.146.41443TCP
              2024-12-01T00:11:57.708896+010020344651Malware Command and Control Activity Detected192.168.2.550358195.133.88.98443TCP
              2024-12-01T00:11:57.771985+010020344651Malware Command and Control Activity Detected192.168.2.55035931.41.244.38443TCP
              2024-12-01T00:11:57.846496+010020344651Malware Command and Control Activity Detected192.168.2.55036062.173.146.41443TCP
              2024-12-01T00:12:00.148551+010020344651Malware Command and Control Activity Detected192.168.2.55036562.173.146.41443TCP
              2024-12-01T00:12:00.196732+010020344651Malware Command and Control Activity Detected192.168.2.550366195.133.88.98443TCP
              2024-12-01T00:12:00.244478+010020344651Malware Command and Control Activity Detected192.168.2.55036731.41.244.38443TCP
              2024-12-01T00:12:00.288288+010020344651Malware Command and Control Activity Detected192.168.2.55036862.173.146.41443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: resources.dllAvira: detected
              Multi AV Scanner detection for submitted file
              Source: resources.dllReversingLabs: Detection: 71%
              Yara detected DanaBot stealer dll
              Source: Yara matchFile source: 0000000E.00000003.2300245046.000000007E010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2300636587.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2303355956.000000007D920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3292, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.5% probability
              Source: resources.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
              Source: resources.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: E:\cpp\git7\dll\WndResizerApp.pdbk source: resources.dll
              Source: Binary string: E:\cpp\git7\dll\WndResizerApp.pdb source: resources.dll
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppDataJump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49835 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49872 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49837 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49889 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49836 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49891 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49890 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49873 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49908 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49909 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49925 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49923 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49922 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49871 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49921 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49936 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49935 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49938 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49957 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49892 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49907 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49972 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49939 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49954 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49958 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49973 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49983 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49910 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49986 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50001 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50014 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50002 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49969 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50016 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50027 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50003 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50047 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50049 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50050 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50004 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50051 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49984 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50031 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50015 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50028 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49955 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50029 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49834 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49870 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49985 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50017 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50066 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50065 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50076 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50064 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50077 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50081 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50096 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50098 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50099 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50080 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50061 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50112 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50122 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50108 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50124 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49971 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50133 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50136 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50141 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50134 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50150 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50135 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50110 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50151 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50142 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50143 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50158 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50159 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50160 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50113 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50152 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50165 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50182 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50157 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50181 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50190 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50205 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50176 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50206 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50199 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50095 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50173 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50183 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50208 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50214 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50200 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50144 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50215 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50223 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50222 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50232 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50238 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50229 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50240 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50216 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50149 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50166 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50197 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50189 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50213 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50168 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50261 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50231 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50262 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50198 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50230 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50174 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50264 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50237 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50239 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50246 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50248 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50207 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50245 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50285 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50184 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50255 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50287 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50278 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50191 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50295 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50286 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50192 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50279 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50294 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50224 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50302 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50277 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50312 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50303 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50253 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50271 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50256 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50123 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50221 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50269 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50280 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50318 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50320 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50247 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50270 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50263 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50301 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50296 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50326 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50272 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50304 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50288 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50328 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50334 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50335 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50336 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50325 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50317 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50310 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50341 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50254 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50327 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50333 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50293 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50343 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50350 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50342 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50344 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50358 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50357 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50349 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50359 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50366 -> 195.133.88.98:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50319 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50360 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50367 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50309 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50175 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50351 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50368 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50365 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50127 -> 62.173.146.41:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50167 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50311 -> 31.41.244.38:443
              Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50352 -> 62.173.146.41:443
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 31.41.244.38 443Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 195.133.88.98 443Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 62.173.146.41 443Jump to behavior
              Source: Joe Sandbox ViewIP Address: 31.41.244.38 31.41.244.38
              Source: Joe Sandbox ViewIP Address: 195.133.88.98 195.133.88.98
              Source: Joe Sandbox ViewIP Address: 62.173.146.41 62.173.146.41
              Source: Joe Sandbox ViewASN Name: AEROEXPRESS-ASRU AEROEXPRESS-ASRU
              Source: Joe Sandbox ViewASN Name: ETOP-ASPL ETOP-ASPL
              Source: Joe Sandbox ViewASN Name: SPACENET-ASInternetServiceProviderRU SPACENET-ASInternetServiceProviderRU
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 195.133.88.98
              Source: unknownTCP traffic detected without corresponding DNS query: 195.133.88.98
              Source: unknownTCP traffic detected without corresponding DNS query: 195.133.88.98
              Source: unknownTCP traffic detected without corresponding DNS query: 195.133.88.98
              Source: unknownTCP traffic detected without corresponding DNS query: 31.41.244.38
              Source: unknownTCP traffic detected without corresponding DNS query: 31.41.244.38
              Source: unknownTCP traffic detected without corresponding DNS query: 31.41.244.38
              Source: unknownTCP traffic detected without corresponding DNS query: 31.41.244.38
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 195.133.88.98
              Source: unknownTCP traffic detected without corresponding DNS query: 195.133.88.98
              Source: unknownTCP traffic detected without corresponding DNS query: 195.133.88.98
              Source: unknownTCP traffic detected without corresponding DNS query: 195.133.88.98
              Source: unknownTCP traffic detected without corresponding DNS query: 31.41.244.38
              Source: unknownTCP traffic detected without corresponding DNS query: 31.41.244.38
              Source: unknownTCP traffic detected without corresponding DNS query: 31.41.244.38
              Source: unknownTCP traffic detected without corresponding DNS query: 31.41.244.38
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 195.133.88.98
              Source: unknownTCP traffic detected without corresponding DNS query: 195.133.88.98
              Source: unknownTCP traffic detected without corresponding DNS query: 195.133.88.98
              Source: unknownTCP traffic detected without corresponding DNS query: 31.41.244.38
              Source: unknownTCP traffic detected without corresponding DNS query: 31.41.244.38
              Source: unknownTCP traffic detected without corresponding DNS query: 31.41.244.38
              Source: unknownTCP traffic detected without corresponding DNS query: 31.41.244.38
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: unknownTCP traffic detected without corresponding DNS query: 62.173.146.41
              Source: rundll32.exe, 0000000E.00000003.3291662100.000000007F570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2354677127.000000007F560000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: "www.facebook.com": "{\"Tier1\": [1103, 6061], \"Tier2\": [5445, 1780, 8220]}", equals www.facebook.com (Facebook)
              Source: rundll32.exe, 0000000E.00000003.3291662100.000000007F570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2354677127.000000007F560000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: "www.linkedin.com": "{\"Tier1\": [1103, 214, 6061], \"Tier2\": [2771, 9515, 1780, 1303, 1099, 6081, 5581, 9396]}", equals www.linkedin.com (Linkedin)
              Source: rundll32.exe, 0000000E.00000003.3291662100.000000007F570000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2354677127.000000007F560000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: "www.youtube.com": "{\"Tier1\": [983, 6061, 1103], \"Tier2\": [2413, 8118, 1720, 5007]}", equals www.youtube.com (Youtube)
              Source: rundll32.exe, 0000000E.00000003.2300636587.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2300545497.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2303355956.000000007D920000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
              Source: rundll32.exe, 0000000E.00000003.2300636587.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2300545497.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2303355956.000000007D920000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
              Source: rundll32.exe, 0000000E.00000003.2300636587.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2300545497.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2303355956.000000007D920000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
              Source: rundll32.exe, 0000000E.00000003.2295319581.0000000005ED0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: rundll32.exe, 0000000E.00000003.2295319581.0000000005ED0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
              Source: rundll32.exe, 0000000E.00000003.2295319581.00000000068D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: rundll32.exe, 0000000E.00000003.2295319581.0000000005ED0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types
              Source: rundll32.exe, 0000000E.00000003.2300636587.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2300545497.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2303355956.000000007D920000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
              Source: rundll32.exe, 0000000E.00000003.2300636587.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2300545497.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2303355956.000000007D920000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html.
              Source: rundll32.exe, 0000000E.00000003.3215871980.000000007F592000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://azureedge.net
              Source: rundll32.exe, 0000000E.00000003.3215871980.000000007F592000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/addressbar_uu_files.en-gb/1.0.2/asset?sv=2017-07-29&sr
              Source: rundll32.exe, 0000000E.00000003.3215871980.000000007F592000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
              Source: rundll32.exe, 0000000E.00000003.3215871980.000000007F592000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/signal_triggers/1.13.3/asset?sv=2017-07-29&sr=c&sig=Nt
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
              Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50131 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50211 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50177 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50257 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 50360 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49973
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49972
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49971
              Source: unknownNetwork traffic detected: HTTP traffic on port 50165 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50325 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50292 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49969
              Source: unknownNetwork traffic detected: HTTP traffic on port 49886 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49963
              Source: unknownNetwork traffic detected: HTTP traffic on port 50359 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49962
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49961
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49960
              Source: unknownNetwork traffic detected: HTTP traffic on port 50189 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50108 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50073 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50028 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50303 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50269 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49958
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49957
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
              Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50280 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50337 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50051 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50153 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49949
              Source: unknownNetwork traffic detected: HTTP traffic on port 50235 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49948
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
              Source: unknownNetwork traffic detected: HTTP traffic on port 50061 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50187 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50221 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50026 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50301 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50270 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50347 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50335 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50282 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50247 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50095 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50155 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50313 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50143 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50208 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50259 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49993
              Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
              Source: unknownNetwork traffic detected: HTTP traffic on port 49934 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50199 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50277 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50337
              Source: unknownNetwork traffic detected: HTTP traffic on port 50036 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50336
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50339
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50338
              Source: unknownNetwork traffic detected: HTTP traffic on port 50151 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50116 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50331
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50330
              Source: unknownNetwork traffic detected: HTTP traffic on port 50225 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50333
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50332
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50335
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50334
              Source: unknownNetwork traffic detected: HTTP traffic on port 50305 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50348
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50105
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50347
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50108
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50349
              Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50340
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50100
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50342
              Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50341
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50102
              Source: unknownNetwork traffic detected: HTTP traffic on port 50339 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50344
              Source: unknownNetwork traffic detected: HTTP traffic on port 50352 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50243 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50343
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50104
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50346
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50345
              Source: unknownNetwork traffic detected: HTTP traffic on port 50289 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50197 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50359
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50116
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50358
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50119
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50351
              Source: unknownNetwork traffic detected: HTTP traffic on port 50317 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50350
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50353
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50110
              Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50352
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50113
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50355
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50112
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50354
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50115
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50357
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50356
              Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50360
              Source: unknownNetwork traffic detected: HTTP traffic on port 50175 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50213 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50127
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50129
              Source: unknownNetwork traffic detected: HTTP traffic on port 50255 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50120
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50362
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50361
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50122
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50364
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50363
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50124
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50366
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50123
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50365
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50368
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50367
              Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50340 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50315 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50350 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50267 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50081 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50362 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50304
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50303
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50306
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50305
              Source: unknownNetwork traffic detected: HTTP traffic on port 50173 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50308
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50307
              Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50309
              Source: unknownNetwork traffic detected: HTTP traffic on port 50201 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50300
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50302
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50301
              Source: unknownNetwork traffic detected: HTTP traffic on port 50141 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50233 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50315
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50314
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50317
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50316
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50319
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50318
              Source: unknownNetwork traffic detected: HTTP traffic on port 50279 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50311
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50310
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50313
              Source: unknownNetwork traffic detected: HTTP traffic on port 50223 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50312
              Source: unknownNetwork traffic detected: HTTP traffic on port 50163 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50349 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50326
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50325
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50328
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50327
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50329
              Source: unknownNetwork traffic detected: HTTP traffic on port 50245 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50320
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50322
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50321
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50324
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50323
              Source: unknownNetwork traffic detected: HTTP traffic on port 50290 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50185 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50327 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50054
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50296
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50053
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50295
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50298
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50297
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50057
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50299
              Source: unknownNetwork traffic detected: HTTP traffic on port 49961 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50061
              Source: unknownNetwork traffic detected: HTTP traffic on port 50286 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50343 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50102 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50148 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50274 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50065
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50064
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50066
              Source: unknownNetwork traffic detected: HTTP traffic on port 50331 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50205 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50240 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50183 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50072
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50074
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50073
              Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50308 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50227 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50252 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50195 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50076
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50075
              Source: unknownNetwork traffic detected: HTTP traffic on port 50057 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50077
              Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50081
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50080
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50086
              Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50089
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50088
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50090
              Source: unknownNetwork traffic detected: HTTP traffic on port 50136 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50096
              Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50095
              Source: unknownNetwork traffic detected: HTTP traffic on port 50365 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50017
              Source: unknownNetwork traffic detected: HTTP traffic on port 50193 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50259
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50252
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50251
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50254
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50253
              Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50256
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50255
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50016
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50258
              Source: unknownNetwork traffic detected: HTTP traffic on port 50353 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50257
              Source: unknownNetwork traffic detected: HTTP traffic on port 50161 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50261
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50260
              Source: unknownNetwork traffic detected: HTTP traffic on port 50215 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50230 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50029
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50028
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50263
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50262
              Source: unknownNetwork traffic detected: HTTP traffic on port 50318 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50023
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50265
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50022
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50264
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50025
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50267
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50266
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50269
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50026
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50268
              Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50264 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50270
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50272
              Source: unknownNetwork traffic detected: HTTP traffic on port 50138 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50271
              Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50298 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50274
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50031
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50273
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50276
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50275
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50036
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50278
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50277
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50038
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50279
              Source: unknownNetwork traffic detected: HTTP traffic on port 50242 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50281
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50280
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50283
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50040
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50282
              Source: unknownNetwork traffic detected: HTTP traffic on port 50104 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50341 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50089 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49973 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50203 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50276 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50171 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50285
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50042
              Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50284
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50287
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50286
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50047
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50289
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50288
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50049
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50290
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50050
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50292
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50291
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50052
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50294
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50051
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50293
              Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50168 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50311 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50122 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50260 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50357 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49912 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49958 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50219 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50077 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50134 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50053 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50237 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50099 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50031 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50156 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50272 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50100 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50345 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50249 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50207 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50323 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50294 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50181 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50065 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50229 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50296 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50098
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50099
              Source: unknownNetwork traffic detected: HTTP traffic on port 50112 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50075 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50158 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49939
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49938
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49935
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49934
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49930
              Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49971 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50321 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50367 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49925
              Source: unknownNetwork traffic detected: HTTP traffic on port 50250 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49923
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49922
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921
              Source: unknownNetwork traffic detected: HTTP traffic on port 50124 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50191 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50262 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50355 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50217 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49912
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49911
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
              Source: unknownNetwork traffic detected: HTTP traffic on port 49948 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50146 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50284 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50333 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50239 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49909
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49908
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
              Source: unknownNetwork traffic detected: HTTP traffic on port 49993 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49901
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
              Source: unknownNetwork traffic detected: HTTP traffic on port 50154 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50234 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50314 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50222 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50074 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50268 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50120 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
              Source: unknownNetwork traffic detected: HTTP traffic on port 50040 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50246 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50130 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50096 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50291 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
              Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
              Source: unknownNetwork traffic detected: HTTP traffic on port 50326 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
              Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50119 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50142 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50348 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50178 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50210 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50017 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50049 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50324 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50293 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
              Source: unknownNetwork traffic detected: HTTP traffic on port 50144 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
              Source: unknownNetwork traffic detected: HTTP traffic on port 50209 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49911 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49957 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50176 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50258 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49888
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
              Source: unknownNetwork traffic detected: HTTP traffic on port 50336 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49886
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
              Source: unknownNetwork traffic detected: HTTP traffic on port 50166 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50281 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50050 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50110 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50005 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50236 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49871
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
              Source: unknownNetwork traffic detected: HTTP traffic on port 50188 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50220 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50358 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50072 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50132 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50302 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50216
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50215

              E-Banking Fraud

              barindex
              Yara detected DanaBot stealer dll
              Source: Yara matchFile source: 0000000E.00000003.2300245046.000000007E010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2300636587.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2303355956.000000007D920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3292, type: MEMORYSTR
              Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 49%
              Source: resources.dllBinary or memory string: OriginalFilenameWndResizerApp.exeJ vs resources.dll
              Source: resources.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winDLL@125/221@0/3
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:728:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1480:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1776:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1252:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3780:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2356:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3840:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1708:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:712:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_03
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\QwafsoepidsetoJump to behavior
              Source: Yara matchFile source: 14.3.rundll32.exe.5ed0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000E.00000003.2295319581.0000000005ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\resources.dll,CIrNTzBaPkppGNf
              Source: rundll32.exe, 0000000E.00000003.2300636587.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2300545497.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2303355956.000000007D920000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: rundll32.exe, 0000000E.00000003.2300636587.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2300545497.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2303355956.000000007D920000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: rundll32.exe, 0000000E.00000003.2300636587.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2300545497.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2303355956.000000007D920000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: rundll32.exe, 0000000E.00000003.2300636587.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2300545497.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2303355956.000000007D920000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: rundll32.exe, 0000000E.00000003.3140896312.000000000803A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.3210469910.000000000803A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.3288971156.000000000803A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2981815119.0000000008057000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.3296918701.0000000008039000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.3060499259.0000000008039000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.3143482412.0000000008039000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2984493114.0000000008056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2352554089.0000000008057000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2355809968.0000000008053000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.3217087911.0000000008039000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: resources.dllReversingLabs: Detection: 71%
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\resources.dll"
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\resources.dll",#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\resources.dll,CIrNTzBaPkppGNf
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\resources.dll,CZnIUAAeJ
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\resources.dll,FxJWXdx
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",CIrNTzBaPkppGNf
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",CZnIUAAeJ
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",FxJWXdx
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",yVmJFl
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",ukniOqaVKgeX
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",uMRRtkuQVecTfq
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",start
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",rtVNQhSpgienExR
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",nkYPRlgSTnlUkuDTW
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",jERKotJBwfw
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",iBZHcoeoarRd
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",ZfDMgndWxjR
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",UAyCqwHRBMHCdHlVz
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",SOdCGqnNtDWyDo
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",NpZatICsK
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",LKSMdMaTT
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",IYfRriwGvbgbXBXReH
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",HipXGmygXapBRYfa
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",GbmgwMEzKpXc
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\resources.dll",#1Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\resources.dll,CIrNTzBaPkppGNfJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\resources.dll,CZnIUAAeJJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\resources.dll,FxJWXdxJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",CIrNTzBaPkppGNfJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",CZnIUAAeJJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",FxJWXdxJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",yVmJFlJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",ukniOqaVKgeXJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",uMRRtkuQVecTfqJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",startJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",rtVNQhSpgienExRJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",nkYPRlgSTnlUkuDTWJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",jERKotJBwfwJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",iBZHcoeoarRdJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",ZfDMgndWxjRJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",UAyCqwHRBMHCdHlVzJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",SOdCGqnNtDWyDoJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",NpZatICsKJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",LKSMdMaTTJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",IYfRriwGvbgbXBXReHJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",HipXGmygXapBRYfaJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",GbmgwMEzKpXcJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",#1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",NpZatICsKJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTaskJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",HipXGmygXapBRYfaJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTaskJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTaskJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTaskJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTaskJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTaskJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTaskJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTaskJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTaskJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTaskJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTaskJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: resources.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: resources.dllStatic file information: File size 11922432 > 1048576
              Source: resources.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x97d800
              Source: resources.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x166400
              Source: resources.dllStatic PE information: More than 200 imports for USER32.dll
              Source: resources.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
              Source: resources.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: E:\cpp\git7\dll\WndResizerApp.pdbk source: resources.dll
              Source: Binary string: E:\cpp\git7\dll\WndResizerApp.pdb source: resources.dll

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

              Hooking and other Techniques for Hiding and Protection

              barindex
              May use the Tor software to hide its network traffic
              Source: rundll32.exe, 0000000E.00000003.2300245046.000000007E010000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2300636587.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2303355956.000000007D920000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: torConnect
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 3901Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 3790Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 1576Thread sleep time: -59160s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 3720Thread sleep time: -7802000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 1784Thread sleep time: -75075s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 1292Thread sleep time: -7580000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 3720Thread sleep time: -462000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 1292Thread sleep time: -396000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 75075Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppDataJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 31.41.244.38 443Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 195.133.88.98 443Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 62.173.146.41 443Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\resources.dll",#1Jump to behavior
              Source: rundll32.exe, 0000000E.00000003.2300245046.000000007E010000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2299049426.000000007E8D0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2300636587.000000007EA30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32U
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected DanaBot stealer dll
              Source: Yara matchFile source: 0000000E.00000003.2300245046.000000007E010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2300636587.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2303355956.000000007D920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3292, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\the-real-indexJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\000003.logJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\MANIFEST-000001Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.logJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.logJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsSiteData-journalJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\CURRENTJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOGJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOCKJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\indexJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\indexJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DIPSJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation Database-journalJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000001Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOGJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOCKJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOGJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOCKJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOGJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOGJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\LOGJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOGJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENTJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsStateJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOCKJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation DatabaseJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCKJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PreferencesJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOCKJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db-journalJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOCKJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.dbJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\CURRENTJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOGJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\LOCKJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_0Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_2Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\indexJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsSiteDataJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_3Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DIPS-journalJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Miranda\Jump to behavior

              Remote Access Functionality

              barindex
              Yara detected DanaBot stealer dll
              Source: Yara matchFile source: 0000000E.00000003.2300245046.000000007E010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2300636587.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2303355956.000000007D920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3292, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              Scheduled Task/Job              		112
              Process Injection              		111
              Virtualization/Sandbox Evasion              		1
              OS Credential Dumping              		1
              Security Software Discovery              		Remote Services1
              Data from Local System              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		1
              DLL Side-Loading              		1
              Scheduled Task/Job              		112
              Process Injection              		1
              Credentials in Registry              		1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Multi-hop Proxy              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		1
              Rundll32              		1
              Credentials In Files              		111
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture1
              Proxy              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials33
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1565896 Sample: resources.dll Startdate: 01/12/2024 Architecture: WINDOWS Score: 100 54 Suricata IDS alerts for network traffic 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 2 other signatures 2->60 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 9 286 8->10         started        14 rundll32.exe 8->14         started        16 cmd.exe 1 8->16         started        18 21 other processes 8->18 dnsIp5 48 62.173.146.41, 443, 49730, 49733 SPACENET-ASInternetServiceProviderRU Russian Federation 10->48 50 195.133.88.98, 443, 49731, 49835 ETOP-ASPL Russian Federation 10->50 52 31.41.244.38, 443, 49732, 49836 AEROEXPRESS-ASRU Russian Federation 10->52 62 System process connects to network (likely due to code injection or exploit) 10->62 64 Tries to steal Instant Messenger accounts or passwords 10->64 66 May use the Tor software to hide its network traffic 10->66 68 Tries to harvest and steal browser information (history, passwords, etc) 10->68 20 schtasks.exe 10->20         started        22 schtasks.exe 10->22         started        24 schtasks.exe 10->24         started        32 10 other processes 10->32 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 14->72 26 rundll32.exe 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        signatures6 process7 process8 34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 32->40         started        42 conhost.exe 32->42         started        44 conhost.exe 32->44         started        46 5 other processes 32->46

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.