Windows Analysis Report SecuriteInfo.com.Variant.Razy.980776.4470.28989

Overview

General Information

Sample Name: SecuriteInfo.com.Variant.Razy.980776.4470.28989 (renamed file extension from 28989 to dll)
Analysis ID: 510680
MD5: c7cf1a1238e4a42eebf9cd70a5cf091c
SHA1: 4ac755ac7e852daa204caced88887bdfce48a57f
SHA256: f0a31b853ed15c70abd7b13ebb381500188e61d4b8fdee1cd2a922d79a4d1e77
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Dridex
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Dridex unpacked file
System process connects to network (likely due to code injection or exploit)
Detected Dridex e-Banking trojan
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 6.3.rundll32.exe.129db55.0.raw.unpack Malware Configuration Extractor: Dridex {"Version": 10444, "C2 list": ["192.46.210.220:443", "143.244.140.214:808", "45.77.0.96:6891", "185.56.219.47:8116"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "syF7NqCylLS878kcIy9w5XeI8w6uMrqVwowz4h3uWHHlWsr5ELTiXic3wgqbllkcZyNGwPGihI"]}

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Razy.980776.4470.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.5:50023 version: TLS 1.2
Source: SecuriteInfo.com.Variant.Razy.980776.4470.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Gun\208-town\521\exa\botto\party.pdb source: loaddll32.exe, 00000000.00000002.792034242.000000006EDF7000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.816027837.000000006EDF7000.00000002.00020000.sdmp, SecuriteInfo.com.Variant.Razy.980776.4470.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED5CEF8 FindFirstFileExW, 0_2_6ED5CEF8

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.77.0.96 235 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.56.219.47 180 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 192.46.210.220 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 143.244.140.214 40 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 192.46.210.220:443
Source: Malware configuration extractor IPs: 143.244.140.214:808
Source: Malware configuration extractor IPs: 45.77.0.96:6891
Source: Malware configuration extractor IPs: 185.56.219.47:8116
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: KELIWEBIT KELIWEBIT
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4832Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.77.0.96 45.77.0.96
Source: Joe Sandbox View IP Address: 185.56.219.47 185.56.219.47
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49754 -> 143.244.140.214:808
Source: global traffic TCP traffic: 192.168.2.5:49756 -> 45.77.0.96:6891
Source: global traffic TCP traffic: 192.168.2.5:49758 -> 185.56.219.47:8116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown Network traffic detected: HTTP traffic on port 50150 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50138
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50134
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50146
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50098 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50150
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 50146 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:01 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:07 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:08 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:12 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:12 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:16 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:16 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:20 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:21 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:24 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:24 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:28 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:28 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:32 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:33 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:36 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:37 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:40 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:41 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:44 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:45 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:48 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:49 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:53 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:53 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:56 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:45:57 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:00 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:01 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:04 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:05 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:08 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:09 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:13 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:13 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:16 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:16 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:20 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:20 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:24 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:24 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:28 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:28 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:32 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:32 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:36 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:36 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:40 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:40 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:44 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:44 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:48 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:48 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:52 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:52 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:56 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:56 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:00 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:00 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:04 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:04 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:08 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:08 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:12 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:12 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:16 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:17 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:20 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:21 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:24 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:26 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:28 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:30 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:32 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:34 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:36 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:38 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:40 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:42 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:44 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:46 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:48 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:51 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:53 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:55 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:57 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:59 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:01 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F8008506.4.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000004.00000003.393252545.000000000577A000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?05d49d65b62de
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214/
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.725338491.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.575651265.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.679541732.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.778016005.000000000099D000.00000004.00000020.sdmp String found in binary or memory: https://143.244.140.214:808/
Source: loaddll32.exe, 00000000.00000003.618146216.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/%
Source: loaddll32.exe, 00000000.00000003.525073328.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/(
Source: loaddll32.exe, 00000000.00000003.679541732.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/.140.214:808/hy
Source: loaddll32.exe, 00000000.00000003.660175642.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/:
Source: loaddll32.exe, 00000000.00000003.465711535.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/My
Source: loaddll32.exe, 00000000.00000003.725338491.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/X
Source: loaddll32.exe, 00000000.00000003.725338491.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.733634731.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/em32
Source: loaddll32.exe, 00000000.00000003.643705364.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/frthe.computer
Source: loaddll32.exe, 00000000.00000003.407113242.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/g_
Source: loaddll32.exe, 00000000.00000003.725338491.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/h
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.725338491.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.525073328.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.643705364.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/hy
Source: loaddll32.exe, 00000000.00000003.465711535.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/k
Source: loaddll32.exe, 00000000.00000003.708708874.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/l
Source: loaddll32.exe, 00000000.00000003.583869390.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/l3
Source: loaddll32.exe, 00000000.00000003.708708874.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/la
Source: loaddll32.exe, 00000000.00000003.618146216.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/ll
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.708708874.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.668641353.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.700253725.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.660175642.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/oft
Source: rundll32.exe, 00000004.00000002.814827994.0000000005775000.00000004.00000001.sdmp String found in binary or memory: https://145.56.219.47:8116/
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47/
Source: loaddll32.exe, 00000000.00000003.408320387.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47/Wl
Source: rundll32.exe, 00000004.00000002.785394155.00000000035BD000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/(
Source: loaddll32.exe, 00000000.00000003.465711535.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/0
Source: loaddll32.exe, 00000000.00000003.457343535.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/2
Source: loaddll32.exe, 00000000.00000003.733634731.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/4&b
Source: loaddll32.exe, 00000000.00000003.668641353.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/4.140.214:808/h
Source: loaddll32.exe, 00000000.00000003.679541732.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/4.140.214:808/hy
Source: loaddll32.exe, 00000000.00000003.708708874.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/4h
Source: loaddll32.exe, 00000000.00000003.700253725.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/Ps%
Source: loaddll32.exe, 00000000.00000003.583869390.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/Ub
Source: loaddll32.exe, 00000000.00000003.679541732.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/b
Source: loaddll32.exe, 00000000.00000003.600285042.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/fW
Source: loaddll32.exe, 00000000.00000003.725338491.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/h
Source: loaddll32.exe, 00000000.00000003.408320387.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/ll
Source: loaddll32.exe, 00000000.00000003.643705364.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/ll8b
Source: loaddll32.exe, 00000000.00000003.609859133.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/llUb
Source: loaddll32.exe, 00000000.00000003.725338491.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/oft
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.525073328.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.542004971.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/soft
Source: loaddll32.exe, 00000000.00000002.780745160.00000000033C0000.00000004.00000001.sdmp String found in binary or memory: https://19.77.0.96:6891/
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.725338491.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.778016005.000000000099D000.00000004.00000020.sdmp, rundll32.exe, 00000004.00000002.814827994.0000000005775000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/
Source: rundll32.exe, 00000004.00000002.773821588.0000000000FCC000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/(u1
Source: loaddll32.exe, 00000000.00000003.465711535.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/4l
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/=l
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/Certification
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/El
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/GlobalSign
Source: loaddll32.exe, 00000000.00000003.465711535.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/Nl
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/O
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/Pl
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/R
Source: loaddll32.exe, 00000000.00000003.725338491.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/Wl
Source: loaddll32.exe, 00000000.00000003.465711535.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/Yl
Source: loaddll32.exe, 00000000.00000003.725338491.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/aenh.dll
Source: loaddll32.exe, 00000000.00000003.733634731.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/aenh.dll4
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/al
Source: loaddll32.exe, 00000000.00000003.457343535.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/coro8
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/en-US
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/f
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/jl
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/k
Source: rundll32.exe, 00000004.00000002.814827994.0000000005775000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/ography
Source: loaddll32.exe, 00000000.00000003.575651265.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/sl
Source: loaddll32.exe, 00000000.00000002.780745160.00000000033C0000.00000004.00000001.sdmp String found in binary or memory: https://195.56.219.47:8116/
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.407113242.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96/
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.725338491.000000000099D000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.814827994.0000000005775000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/
Source: loaddll32.exe, 00000000.00000002.778016005.000000000099D000.00000004.00000020.sdmp String found in binary or memory: https://45.77.0.96:6891/0
Source: loaddll32.exe, 00000000.00000003.407113242.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/14
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.725338491.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/6/
Source: rundll32.exe, 00000004.00000002.814827994.0000000005775000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/Microsoft
Source: loaddll32.exe, 00000000.00000003.652034067.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/Sg
Source: rundll32.exe, 00000004.00000002.814827994.0000000005775000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/graphy
Source: loaddll32.exe, 00000000.00000003.407113242.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/h.dll
Source: loaddll32.exe, 00000000.00000003.407113242.000000000099D000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/sg
Source: unknown HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4844Connection: CloseCache-Control: no-cache
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED639F9 InternetReadFile, 0_2_6ED639F9
Source: unknown HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.5:50023 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 4.2.rundll32.exe.6ed30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.f3db55.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.83db55.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.129db55.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.33fdb55.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.129db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.83db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6ed30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.f3db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.33fdb55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.rundll32.exe.e4db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.rundll32.exe.e4db55.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.341889397.00000000033E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.791906460.000000006ED31000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.390619959.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.369249349.0000000001280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.340472911.0000000000F20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.387507409.0000000000E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.815931183.000000006ED31000.00000020.00020000.sdmp, type: MEMORY
Detected Dridex e-Banking trojan
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED351A7 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo, 0_2_6ED351A7

System Summary:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Razy.980776.4470.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED467C8 0_2_6ED467C8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED36AD0 0_2_6ED36AD0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED496D0 0_2_6ED496D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED5FA10 0_2_6ED5FA10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED53EC0 0_2_6ED53EC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED4B6F0 0_2_6ED4B6F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED48EF0 0_2_6ED48EF0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED562F0 0_2_6ED562F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED4F6E0 0_2_6ED4F6E0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED4AE80 0_2_6ED4AE80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED48AB0 0_2_6ED48AB0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED526B0 0_2_6ED526B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED51EB0 0_2_6ED51EB0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED51240 0_2_6ED51240
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED49E70 0_2_6ED49E70
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED4A660 0_2_6ED4A660
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED57660 0_2_6ED57660
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED52E60 0_2_6ED52E60
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED3CA10 0_2_6ED3CA10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED5FA10 0_2_6ED5FA10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED50220 0_2_6ED50220
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED5D620 0_2_6ED5D620
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED483C0 0_2_6ED483C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED47FC0 0_2_6ED47FC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED57FC0 0_2_6ED57FC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED4E3F0 0_2_6ED4E3F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED4BF50 0_2_6ED4BF50
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED59B10 0_2_6ED59B10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED53B00 0_2_6ED53B00
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED51730 0_2_6ED51730
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED3ACD0 0_2_6ED3ACD0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED4A0D0 0_2_6ED4A0D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED498DA 0_2_6ED498DA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED488C0 0_2_6ED488C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED48CC0 0_2_6ED48CC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED55CB0 0_2_6ED55CB0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED4E0A0 0_2_6ED4E0A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED54CA0 0_2_6ED54CA0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED550A0 0_2_6ED550A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED5DCA0 0_2_6ED5DCA0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED4D030 0_2_6ED4D030
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED51020 0_2_6ED51020
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED4FDD0 0_2_6ED4FDD0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED589F0 0_2_6ED589F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED571F0 0_2_6ED571F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED4C590 0_2_6ED4C590
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED4D980 0_2_6ED4D980
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED5D180 0_2_6ED5D180
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED3F9A0 0_2_6ED3F9A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED31570 0_2_6ED31570
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED47564 0_2_6ED47564
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6ED7E210 4_2_6ED7E210
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED422A0 NtDelayExecution, 0_2_6ED422A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED5BE30 NtClose, 0_2_6ED5BE30
Source: SecuriteInfo.com.Variant.Razy.980776.4470.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.4470.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.4470.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.4470.dll,Bluewing
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.4470.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.4470.dll,Earth
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.4470.dll,Masterjust
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.4470.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.4470.dll,Bluewing Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.4470.dll,Earth Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.4470.dll,Masterjust Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.4470.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal76.bank.troj.evad.winDLL@11/2@0/4
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.4470.dll,Bluewing
Source: SecuriteInfo.com.Variant.Razy.980776.4470.28989 Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: SecuriteInfo.com.Variant.Razy.980776.4470.dll Static file information: File size 1375232 > 1048576
Source: SecuriteInfo.com.Variant.Razy.980776.4470.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Variant.Razy.980776.4470.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Gun\208-town\521\exa\botto\party.pdb source: loaddll32.exe, 00000000.00000002.792034242.000000006EDF7000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.816027837.000000006EDF7000.00000002.00020000.sdmp, SecuriteInfo.com.Variant.Razy.980776.4470.dll

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_3_00B7C762 push eax; ret 0_3_00B7C76D

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Contains functionality to query network adapater information
Source: C:\Windows\System32\loaddll32.exe Code function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo, 0_2_6ED351A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED43930 GetTokenInformation,GetTokenInformation,GetSystemInfo,GetTokenInformation, 0_2_6ED43930
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED5CEF8 FindFirstFileExW, 0_2_6ED5CEF8

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EDA97B0 IsDebuggerPresent,IsDebuggerPresent,CreateThread,std::_Timevec::_Timevec,WaitForSingleObjectEx, 4_2_6EDA97B0
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EDA8B60 __invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__cftoe,__aligned_msize,__invoke_watson_if_error,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__invoke_watson_if_error,__CrtDbgReportWV, 4_2_6EDA8B60
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EDA47C0 mov ecx, dword ptr fs:[00000030h] 4_2_6EDA47C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EE7BA72 mov eax, dword ptr fs:[00000030h] 4_2_6EE7BA72
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EE7B942 mov eax, dword ptr fs:[00000030h] 4_2_6EE7B942
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6EE7B64D push dword ptr fs:[00000030h] 4_2_6EE7B64D
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED46C50 KiUserExceptionDispatcher,LdrLoadDll, 0_2_6ED46C50
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED47A60 RtlAddVectoredExceptionHandler, 0_2_6ED47A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6ED763A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6ED763A0

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.77.0.96 235 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.56.219.47 180 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 192.46.210.220 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 143.244.140.214 40 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.4470.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.780512330.0000000001270000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.796914302.00000000039D0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.780512330.0000000001270000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.796914302.00000000039D0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.780512330.0000000001270000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.796914302.00000000039D0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.780512330.0000000001270000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.796914302.00000000039D0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.780512330.0000000001270000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.796914302.00000000039D0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6EDC1E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetACP,GetLocaleInfoW, 4_2_6EDC2750
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6EDC1F40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6EDABC30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6EDC1DB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6EDAB0B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_6EDC2960
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED42980 GetUserNameW, 0_2_6ED42980
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510680 Sample: SecuriteInfo.com.Variant.Ra... Startdate: 28/10/2021 Architecture: WINDOWS Score: 76 28 Found malware configuration 2->28 30 Yara detected Dridex unpacked file 2->30 32 C2 URLs / IPs found in malware configuration 2->32 7 loaddll32.exe 13 2->7         started        process3 signatures4 36 Detected Dridex e-Banking trojan 7->36 10 cmd.exe 1 7->10         started        12 rundll32.exe 7->12         started        14 rundll32.exe 7->14         started        16 rundll32.exe 7->16         started        process5 process6 18 rundll32.exe 12 10->18         started        dnsIp7 22 185.56.219.47, 49758, 49766, 49767 KELIWEBIT Italy 18->22 24 192.46.210.220, 443, 49753, 49757 FRAUNHOFER-CLUSTER-BWResearchInstitutesspreadalloverGe United States 18->24 26 2 other IPs or domains 18->26 34 System process connects to network (likely due to code injection or exploit) 18->34 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.77.0.96
 unknown United States
20473 AS-CHOOPAUS true
185.56.219.47
 unknown Italy
202675 KELIWEBIT true
192.46.210.220
 unknown United States
5501 FRAUNHOFER-CLUSTER-BWResearchInstitutesspreadalloverGe true
143.244.140.214
 unknown United States
174 COGENT-174US true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://192.46.210.220/ true
  • URL Reputation: safe
 unknown