Windows Analysis Report SecuriteInfo.com.Variant.Razy.980776.28328.4566

AV Detection:

Found malware configuration

Source: 3.2.rundll32.exe.6e510000.0.unpack

Malware Configuration Extractor: Dridex {"Version": 10444, "C2 list": ["192.46.210.220:443", "143.244.140.214:808", "45.77.0.96:6891", "185.56.219.47:8116"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "syF7NqCylLS878kcIy9w5XeI8w6uMrqVwowz4h3uWHHlWsr5ELTiXic3wgqbllkcZyNGwPGihI"]}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Razy.980776.28328.dll	Virustotal: Detection: 7%			Perma Link
Source: SecuriteInfo.com.Variant.Razy.980776.28328.dll	ReversingLabs: Detection: 27%

Compliance:

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.Razy.980776.28328.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.7:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.7:49771 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SecuriteInfo.com.Variant.Razy.980776.28328.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:

Binary string: c:\Gun\208-town\521\exa\botto\party.pdb source: loaddll32.exe, 00000000.00000002.784937216.000000006E5D7000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.786186037.000000006E5D7000.00000002.00020000.sdmp, SecuriteInfo.com.Variant.Razy.980776.28328.dll

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E53CEF8 FindFirstFileExW,

0_2_6E53CEF8

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.77.0.96 235			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.56.219.47 180			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.46.210.220 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 143.244.140.214 40			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 192.46.210.220:443
Source: Malware configuration extractor	IPs: 143.244.140.214:808
Source: Malware configuration extractor	IPs: 45.77.0.96:6891
Source: Malware configuration extractor	IPs: 185.56.219.47:8116

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: KELIWEBIT KELIWEBIT

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4857Connection: CloseCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 45.77.0.96 45.77.0.96
Source: Joe Sandbox View	IP Address: 185.56.219.47 185.56.219.47

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.7:49768 -> 143.244.140.214:808
Source: global traffic	TCP traffic: 192.168.2.7:49777 -> 45.77.0.96:6891
Source: global traffic	TCP traffic: 192.168.2.7:49781 -> 185.56.219.47:8116

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 50145 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 50174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50174
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50176
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50184
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50190
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 50192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 50150 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50137
Source: unknown	Network traffic detected: HTTP traffic on port 50158 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50141
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50145
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50150
Source: unknown	Network traffic detected: HTTP traffic on port 50176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50153
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50158
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50160
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50137 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50168
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50200
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50160 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:21 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:28 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:30 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:32 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:34 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:36 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:37 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:40 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:42 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:45 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:46 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:49 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:50 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:52 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:54 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:56 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:46:58 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:00 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:03 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:04 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:06 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:08 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:10 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:12 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:14 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:16 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:18 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:19 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:22 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:23 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:26 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:27 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:30 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:31 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:34 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:35 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:39 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:39 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:43 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:43 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:47 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:47 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:50 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:51 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:54 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:55 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:58 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:47:58 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:02 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:02 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:06 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:06 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:11 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:11 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:15 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:15 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:19 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:19 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:23 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:23 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:26 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:27 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:30 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:31 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:34 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:35 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:38 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:39 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:43 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:44 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:46 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:48 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:50 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:52 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:54 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:56 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:48:58 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:49:01 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:49:02 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:49:05 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:49:06 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:49:09 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:49:10 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:49:13 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:49:14 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:49:17 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:49:18 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:49:21 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 02:49:21 GMTContent-Type: text/plain; charset=utf-8Connection: close

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96

URLs found in memory or binary data

Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.3.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: loaddll32.exe, 00000000.00000002.780748710.0000000000718000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabx?
Source: loaddll32.exe, 00000000.00000002.780748710.0000000000718000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enp
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214/
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214/A
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.571195607.0000000000785000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.781170560.0000000000775000.00000004.00000020.sdmp, rundll32.exe	String found in binary or memory: https://143.244.140.214:808/
Source: loaddll32.exe, 00000000.00000003.604185957.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/.140.214:808/
Source: loaddll32.exe, 00000000.00000002.781170560.0000000000775000.00000004.00000020.sdmp	String found in binary or memory: https://143.244.140.214:808/G
Source: loaddll32.exe, 00000000.00000002.781170560.0000000000775000.00000004.00000020.sdmp	String found in binary or memory: https://143.244.140.214:808/U
Source: loaddll32.exe, 00000000.00000002.781170560.0000000000775000.00000004.00000020.sdmp	String found in binary or memory: https://143.244.140.214:808/Z
Source: loaddll32.exe, 00000000.00000002.781170560.0000000000775000.00000004.00000020.sdmp	String found in binary or memory: https://143.244.140.214:808/c
Source: loaddll32.exe, 00000000.00000003.604185957.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/h
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.623291100.000000000077D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.631441493.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/hy
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.503888662.000000000077C000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.781170560.0000000000775000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000003.680511463.000000000077E000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/oft
Source: loaddll32.exe, 00000000.00000002.781170560.0000000000775000.00000004.00000020.sdmp	String found in binary or memory: https://143.244.140.214:808/q
Source: loaddll32.exe, 00000000.00000003.462282089.0000000000785000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/x
Source: loaddll32.exe, 00000000.00000003.680511463.000000000077E000.00000004.00000001.sdmp	String found in binary or memory: https://18192.46.210.220/
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47/
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47/)
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.503888662.000000000077C000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.680511463.000000000077E000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/
Source: loaddll32.exe, 00000000.00000003.604185957.000000000077D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.462282089.0000000000785000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/4.140.214:808/hy
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/9
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/Q
Source: loaddll32.exe, 00000000.00000003.604185957.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/a
Source: loaddll32.exe, 00000000.00000003.579545200.0000000000785000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/oft
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.623291100.000000000077D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.462282089.0000000000785000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/soft
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.713710363.0000000004A0F000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/
Source: rundll32.exe, 00000003.00000003.713710363.0000000004A0F000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/.0.96:6891/
Source: loaddll32.exe, 00000000.00000003.419169035.0000000000785000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220//
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/;
Source: loaddll32.exe, 00000000.00000003.604185957.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/B
Source: loaddll32.exe, 00000000.00000002.780748710.0000000000718000.00000004.00000020.sdmp	String found in binary or memory: https://192.46.210.220/Certification
Source: loaddll32.exe, 00000000.00000003.604185957.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/M
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/R
Source: loaddll32.exe, 00000000.00000002.780748710.0000000000718000.00000004.00000020.sdmp	String found in binary or memory: https://192.46.210.220/V
Source: rundll32.exe, 00000003.00000003.713710363.0000000004A0F000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/Y
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/_
Source: loaddll32.exe, 00000000.00000003.503888662.000000000077C000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/a
Source: loaddll32.exe, 00000000.00000003.503888662.000000000077C000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/aenh.dll
Source: loaddll32.exe, 00000000.00000003.487595623.000000000077C000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/aenh.dllB
Source: loaddll32.exe, 00000000.00000002.780748710.0000000000718000.00000004.00000020.sdmp	String found in binary or memory: https://192.46.210.220/en-US
Source: loaddll32.exe, 00000000.00000003.604185957.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/f
Source: rundll32.exe, 00000003.00000003.642654981.0000000004A10000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/graphy
Source: rundll32.exe, 00000003.00000003.713710363.0000000004A0F000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/ography
Source: rundll32.exe, 00000003.00000003.625741355.0000000004A0F000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/u
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/z
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96/
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96/l
Source: loaddll32.exe, 00000000.00000002.780748710.0000000000718000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.713710363.0000000004A0F000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96:6891/
Source: loaddll32.exe, 00000000.00000003.604185957.000000000077D000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96:6891/6/
Source: loaddll32.exe, 00000000.00000003.503888662.000000000077C000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96:6891/6/Q
Source: loaddll32.exe, 00000000.00000002.781170560.0000000000775000.00000004.00000020.sdmp	String found in binary or memory: https://45.77.0.96:6891/6/a
Source: rundll32.exe, 00000003.00000003.774804803.0000000004A0F000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96:6891/7
Source: rundll32.exe, 00000003.00000003.713710363.0000000004A0F000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.642654981.0000000004A10000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.785750413.0000000004A0C000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96:6891/Microsoft
Source: loaddll32.exe, 00000000.00000002.781170560.0000000000775000.00000004.00000020.sdmp	String found in binary or memory: https://45.77.0.96:6891/b
Source: loaddll32.exe, 00000000.00000002.781170560.0000000000775000.00000004.00000020.sdmp	String found in binary or memory: https://45.77.0.96:6891/der
Source: rundll32.exe, 00000003.00000003.713710363.0000000004A0F000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.637471085.0000000004A10000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96:6891/graphy
Source: loaddll32.exe, 00000000.00000002.781170560.0000000000775000.00000004.00000020.sdmp	String found in binary or memory: https://45.77.0.96:6891/i
Source: rundll32.exe, 00000003.00000003.642654981.0000000004A10000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96:6891/o
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96:6891/q
Source: loaddll32.exe, 00000000.00000003.437725694.0000000000784000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.713710363.0000000004A0F000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96:6891/y

Posts data to webserver

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4869Connection: CloseCache-Control: no-cache

Contains functionality to download additional files from the internet

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E5439F9 InternetReadFile,

0_2_6E5439F9

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.7:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.7:49771 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.780716842.000000000070B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 6.3.rundll32.exe.2e6db55.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.2e6db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2eadb55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.59db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.57db55.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.486db55.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.59db55.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.57db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.486db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2eadb55.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.347040697.0000000004850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.384482300.0000000002E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.784194713.000000006E511000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.388197619.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.347778721.0000000000580000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.366765780.0000000002E90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.785930808.000000006E511000.00000020.00020000.sdmp, type: MEMORY

Detected Dridex e-Banking trojan

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E5151A7 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,

0_2_6E5151A7

System Summary:

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.Razy.980776.28328.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E5267C8		0_2_6E5267C8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E531240		0_2_6E531240
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E519E70		0_2_6E519E70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E529E70		0_2_6E529E70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E52A660		0_2_6E52A660
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E537660		0_2_6E537660
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E532E60		0_2_6E532E60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E51CA10		0_2_6E51CA10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E53FA10		0_2_6E53FA10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E530220		0_2_6E530220
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E53D620		0_2_6E53D620
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E516AD0		0_2_6E516AD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E5296D0		0_2_6E5296D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E533EC0		0_2_6E533EC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E53FA10		0_2_6E53FA10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E52B6F0		0_2_6E52B6F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E528EF0		0_2_6E528EF0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E5362F0		0_2_6E5362F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E52F6E0		0_2_6E52F6E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E52AE80		0_2_6E52AE80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E528AB0		0_2_6E528AB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E5326B0		0_2_6E5326B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E531EB0		0_2_6E531EB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E52BF50		0_2_6E52BF50
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E539B10		0_2_6E539B10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E533B00		0_2_6E533B00
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E531730		0_2_6E531730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E5283C0		0_2_6E5283C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E527FC0		0_2_6E527FC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E537FC0		0_2_6E537FC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E52E3F0		0_2_6E52E3F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E52D030		0_2_6E52D030
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E531020		0_2_6E531020
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E51ACD0		0_2_6E51ACD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E52A0D0		0_2_6E52A0D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E5298DA		0_2_6E5298DA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E5288C0		0_2_6E5288C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E528CC0		0_2_6E528CC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E535CB0		0_2_6E535CB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E52E0A0		0_2_6E52E0A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E534CA0		0_2_6E534CA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E5350A0		0_2_6E5350A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E53DCA0		0_2_6E53DCA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E511570		0_2_6E511570
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E527564		0_2_6E527564
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E52FDD0		0_2_6E52FDD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E5389F0		0_2_6E5389F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E5371F0		0_2_6E5371F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E52C590		0_2_6E52C590
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E52D980		0_2_6E52D980
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E53D180		0_2_6E53D180
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E51F9A0		0_2_6E51F9A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_00DCE8F8		3_3_00DCE8F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_00DCE8F8		3_3_00DCE8F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_00DCE8F8		3_3_00DCE8F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_00DCE8F8		3_3_00DCE8F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_006DE42D		3_3_006DE42D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_006E94AE		3_3_006E94AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_006E94AE		3_3_006E94AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_006EE3E8		3_3_006EE3E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_006ED8FF		3_3_006ED8FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_006E94AE		3_3_006E94AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_006E94AE		3_3_006E94AE

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E5222A0 NtDelayExecution,		0_2_6E5222A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E53BE30 NtClose,		0_2_6E53BE30

Sample is known by Antivirus

Source: SecuriteInfo.com.Variant.Razy.980776.28328.dll	Virustotal: Detection: 7%
Source: SecuriteInfo.com.Variant.Razy.980776.28328.dll	ReversingLabs: Detection: 27%

PE file has an executable .text section and no other executable section

Source: SecuriteInfo.com.Variant.Razy.980776.28328.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.28328.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.28328.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.28328.dll,Bluewing
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.28328.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.28328.dll,Earth
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.28328.dll,Masterjust
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.28328.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.28328.dll,Bluewing			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.28328.dll,Earth			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.28328.dll,Masterjust			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.28328.dll',#1			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Classification label

Source: classification engine

Classification label: mal84.bank.troj.evad.winDLL@11/2@0/4

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.28328.dll,Bluewing

Found detection on Joe Sandbox Cloud Basic with higher score

Source: SecuriteInfo.com.Variant.Razy.980776.28328.4566

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Reads the hosts file

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Submission file is bigger than most known malware samples

Source: SecuriteInfo.com.Variant.Razy.980776.28328.dll

Static file information: File size 1375232 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SecuriteInfo.com.Variant.Razy.980776.28328.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: SecuriteInfo.com.Variant.Razy.980776.28328.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:

Binary string: c:\Gun\208-town\521\exa\botto\party.pdb source: loaddll32.exe, 00000000.00000002.784937216.000000006E5D7000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.786186037.000000006E5D7000.00000002.00020000.sdmp, SecuriteInfo.com.Variant.Razy.980776.28328.dll

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_006DC07D pushfd ; retn 006Dh		3_3_006DC085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_006DCA58 push 7804A13Eh; retf		3_3_006DCA5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_006E2758 push ss; retf		3_3_006E275C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_006E8F1B push esi; retf		3_3_006E8F3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_006E40ED push esp; retf 0076h		3_3_006E40EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_006E7EE4 push ss; ret		3_3_006E7F01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_006E43AD push esp; retf 0076h		3_3_006E43AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_006DC280 pushfd ; retn 006Dh		3_3_006DC281

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Contains functionality to query network adapater information

Source: C:\Windows\System32\loaddll32.exe

Code function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,

0_2_6E5151A7

Contains functionality to query system information

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E523930 GetTokenInformation,GetTokenInformation,GetSystemInfo,GetTokenInformation,

0_2_6E523930

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E53CEF8 FindFirstFileExW,

0_2_6E53CEF8

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: loaddll32.exe, 00000000.00000002.781060647.000000000076D000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: loaddll32.exe, 00000000.00000002.780748710.0000000000718000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWPXw%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E526C50 KiUserExceptionDispatcher,LdrLoadDll,

0_2_6E526C50

Contains functionality to register its own exception handler

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E527A60 RtlAddVectoredExceptionHandler,

0_2_6E527A60

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.77.0.96 235			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.56.219.47 180			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.46.210.220 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 143.244.140.214 40			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.28328.dll',#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000002.783245916.0000000001280000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.785236611.0000000002E50000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000000.00000002.783245916.0000000001280000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.785236611.0000000002E50000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.783245916.0000000001280000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.785236611.0000000002E50000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.783245916.0000000001280000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.785236611.0000000002E50000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query the account / user name

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E522980 GetUserNameW,

0_2_6E522980