Windows Analysis Report SecuriteInfo.com.Variant.Razy.980776.19803.14094

Overview

General Information

Sample Name: SecuriteInfo.com.Variant.Razy.980776.19803.14094 (renamed file extension from 14094 to dll)
Analysis ID: 510692
MD5: 617b1fd1bfdab72e5562c0c2f7600bcb
SHA1: 9e5bf19ba51cbd5849a225f022b939a48e5769b3
SHA256: 9b9c38d267cedfb2c423fbad71a50f76d0743a3ecc8f6027029fa13ea36e00e4
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Dridex
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Detected Dridex e-Banking trojan
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.3.loaddll32.exe.104db55.0.raw.unpack Malware Configuration Extractor: Dridex {"Version": 10444, "C2 list": ["192.46.210.220:443", "143.244.140.214:808", "45.77.0.96:6891", "185.56.219.47:8116"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "syF7NqCylLS878kcIy9w5XeI8w6uMrqVwowz4h3uWHHlWsr5ELTiXic3wgqbllkcZyNGwPGihI"]}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Razy.980776.19803.dll Virustotal: Detection: 7% Perma Link
Source: SecuriteInfo.com.Variant.Razy.980776.19803.dll ReversingLabs: Detection: 18%

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Razy.980776.19803.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: SecuriteInfo.com.Variant.Razy.980776.19803.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Gun\208-town\521\exa\botto\party.pdb source: loaddll32.exe, 00000000.00000002.845974920.000000006E717000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.888666799.000000006E717000.00000002.00020000.sdmp, SecuriteInfo.com.Variant.Razy.980776.19803.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E67CEF8 FindFirstFileExW, 0_2_6E67CEF8

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.77.0.96 235 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.56.219.47 180 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 192.46.210.220 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 143.244.140.214 40 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 192.46.210.220:443
Source: Malware configuration extractor IPs: 143.244.140.214:808
Source: Malware configuration extractor IPs: 45.77.0.96:6891
Source: Malware configuration extractor IPs: 185.56.219.47:8116
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: KELIWEBIT KELIWEBIT
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.77.0.96 45.77.0.96
Source: Joe Sandbox View IP Address: 185.56.219.47 185.56.219.47
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49748 -> 143.244.140.214:808
Source: global traffic TCP traffic: 192.168.2.3:49751 -> 45.77.0.96:6891
Source: global traffic TCP traffic: 192.168.2.3:49753 -> 185.56.219.47:8116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50133 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 50156 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 50149 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50133
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50132
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50140
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50149
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50141
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50148
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50157
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50156
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50157 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50101 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49888 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:03:46 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:03:49 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:03:53 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:03:53 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:03:57 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:03:57 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:00 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:01 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:05 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:06 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:09 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:10 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:13 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:14 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:17 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:18 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:21 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:22 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:25 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:26 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:29 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:30 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:33 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:34 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:37 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:38 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:41 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:42 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:44 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:46 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:48 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:49 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:52 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:53 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:58 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:04:59 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:01 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:03 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:05 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:06 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:09 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:10 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:15 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:16 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:18 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:19 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:22 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:23 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:26 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:27 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:30 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:31 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:35 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:36 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:39 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:40 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:43 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:44 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:47 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:48 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:51 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:52 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:55 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:55 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:59 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:05:59 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:02 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:03 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:08 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:08 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:12 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:12 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:16 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:16 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:20 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:20 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:23 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:24 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:27 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:28 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:31 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:32 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:35 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:35 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:39 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:39 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.508875492.00000000033DB000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 00000004.00000003.454870700.00000000033DB000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: rundll32.exe, 00000004.00000003.508875492.00000000033DB000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.508875492.00000000033DB000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.454870700.00000000033DB000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.4.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000004.00000003.453106675.0000000005465000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?24307bc719346
Source: rundll32.exe, 00000004.00000003.508875492.00000000033DB000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214/
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214/j
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214/r
Source: rundll32.exe, 00000004.00000003.508875492.00000000033DB000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/
Source: loaddll32.exe, 00000000.00000003.719411339.000000000114E000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/%
Source: rundll32.exe, 00000004.00000003.740452821.00000000033D7000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/(
Source: loaddll32.exe, 00000000.00000003.608201796.000000000114A000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/.140.214:808/
Source: rundll32.exe, 00000004.00000003.479096259.00000000033DB000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/C~g
Source: loaddll32.exe, 00000000.00000003.491368237.0000000001150000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/Ht_
Source: loaddll32.exe, 00000000.00000003.491330486.00000000011B8000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/Kqfu(
Source: rundll32.exe, 00000004.00000003.508875492.00000000033DB000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/My
Source: rundll32.exe, 00000004.00000003.454870700.00000000033DB000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/N
Source: loaddll32.exe, 00000000.00000003.608201796.000000000114A000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/P
Source: loaddll32.exe, 00000000.00000003.749472778.0000000001150000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.547291056.0000000001150000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.719411339.000000000114E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.637891796.00000000033D7000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/hy
Source: loaddll32.exe, 00000000.00000003.543841202.0000000001156000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.508875492.00000000033DB000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/l
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.825892438.0000000001143000.00000004.00000020.sdmp String found in binary or memory: https://143.244.140.214:808/oft
Source: loaddll32.exe, 00000000.00000003.583912455.000000000114E000.00000004.00000001.sdmp String found in binary or memory: https://143.244.F
Source: loaddll32.exe, 00000000.00000003.480245456.0000000001150000.00000004.00000001.sdmp String found in binary or memory: https://18185.56.219.47:8116/~
Source: loaddll32.exe, 00000000.00000003.608201796.000000000114A000.00000004.00000001.sdmp String found in binary or memory: https://1845.77.0.96:6891/
Source: rundll32.exe, 00000004.00000002.855490130.0000000005463000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47/
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47/m
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.785545934.000000000114D000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.690151454.0000000003440000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/
Source: rundll32.exe, 00000004.00000003.715591427.0000000003441000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/.
Source: loaddll32.exe, 00000000.00000003.603741779.0000000001150000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/0
Source: loaddll32.exe, 00000000.00000003.547291056.0000000001150000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/4
Source: loaddll32.exe, 00000000.00000003.583912455.000000000114E000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/4.140.214:808/hy
Source: loaddll32.exe, 00000000.00000003.583912455.000000000114E000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/B
Source: rundll32.exe, 00000004.00000003.601489285.00000000033D7000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/D
Source: loaddll32.exe, 00000000.00000003.491368237.0000000001150000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.768805563.00000000033D7000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.462417469.00000000033DB000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/ES
Source: loaddll32.exe, 00000000.00000003.819035845.0000000001150000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.740542417.000000000339C000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/Ps%
Source: rundll32.exe, 00000004.00000003.548484641.00000000033D7000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/h:
Source: loaddll32.exe, 00000000.00000003.692427615.000000000114C000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.690151454.0000000003440000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/l
Source: rundll32.exe, 00000004.00000003.690151454.0000000003440000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/ll
Source: rundll32.exe, 00000004.00000003.690111757.00000000033D7000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/oft
Source: loaddll32.exe, 00000000.00000003.749472778.0000000001150000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.505189315.0000000001151000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.543841202.0000000001156000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.692427615.000000000114C000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.506581152.00000000033DB000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/soft
Source: rundll32.exe, 00000004.00000003.690151454.0000000003440000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/v
Source: rundll32.exe, 00000004.00000003.479096259.00000000033DB000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/wsupdate.com.edgesuite.nettm
Source: loaddll32.exe, 00000000.00000003.491368237.0000000001150000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/x
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.508875492.00000000033DB000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.670962409.0000000003440000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/
Source: loaddll32.exe, 00000000.00000003.802350875.000000000114C000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/#
Source: rundll32.exe, 00000004.00000003.732236260.000000000339C000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/$
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/&
Source: loaddll32.exe, 00000000.00000002.825892438.0000000001143000.00000004.00000020.sdmp String found in binary or memory: https://192.46.210.220/.0.96:6891/
Source: loaddll32.exe, 00000000.00000003.480245456.0000000001150000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220//
Source: loaddll32.exe, 00000000.00000003.491368237.0000000001150000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/0Z0W1
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/1-0
Source: loaddll32.exe, 00000000.00000003.480245456.0000000001150000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/7.0.96:6891/
Source: loaddll32.exe, 00000000.00000003.692427615.000000000114C000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/7.0.96:6891/Microsoft
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/8
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/;
Source: loaddll32.exe, 00000000.00000003.785545934.000000000114D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/B
Source: loaddll32.exe, 00000000.00000003.463671472.0000000001151000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/C
Source: rundll32.exe, 00000004.00000002.839402088.000000000343A000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/Certification
Source: loaddll32.exe, 00000000.00000003.785545934.000000000114D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/I
Source: loaddll32.exe, 00000000.00000003.603741779.0000000001150000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/K
Source: loaddll32.exe, 00000000.00000003.785545934.000000000114D000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/P
Source: loaddll32.exe, 00000000.00000003.692427615.000000000114C000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/W
Source: loaddll32.exe, 00000000.00000003.779467941.000000000114C000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/aenh.dllltb
Source: rundll32.exe, 00000004.00000003.819391649.00000000033D7000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/e
Source: loaddll32.exe, 00000000.00000003.779467941.000000000114C000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/f
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/g
Source: loaddll32.exe, 00000000.00000003.512614801.0000000001157000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/graphy
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/ntrust
Source: rundll32.exe, 00000004.00000003.498135306.00000000033DB000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/o
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.719411339.000000000114E000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.558714195.0000000001155000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.583912455.000000000114E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.855490130.0000000005463000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/ography
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.690111757.00000000033D7000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/s
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/t
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/trust
Source: rundll32.exe, 00000004.00000003.515187644.0000000003450000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/v
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/y
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/z
Source: rundll32.exe, 00000004.00000003.707287574.0000000003440000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/~
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.459519197.0000000001158000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.732236260.000000000339C000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96/
Source: rundll32.exe, 00000004.00000003.732236260.000000000339C000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96/(6
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96/J
Source: loaddll32.exe, 00000000.00000003.749472778.0000000001150000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.719411339.000000000114E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.456386588.0000000005467000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.855490130.0000000005463000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/
Source: rundll32.exe, 00000004.00000003.456386588.0000000005467000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/)
Source: loaddll32.exe, 00000000.00000003.684059514.0000000001150000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/.
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/.0.96:6891/
Source: loaddll32.exe, 00000000.00000003.547291056.0000000001150000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.774221370.0000000001150000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/.0.96:6891/Microsoft
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.833374830.00000000033D7000.00000004.00000020.sdmp String found in binary or memory: https://45.77.0.96:6891/08/
Source: loaddll32.exe, 00000000.00000003.512614801.0000000001157000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/14
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/2
Source: loaddll32.exe, 00000000.00000003.719411339.000000000114E000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/B
Source: loaddll32.exe, 00000000.00000003.608201796.000000000114A000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/J
Source: loaddll32.exe, 00000000.00000003.749472778.0000000001150000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.603741779.0000000001150000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.491368237.0000000001150000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.543841202.0000000001156000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.855490130.0000000005463000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/Microsoft
Source: rundll32.exe, 00000004.00000003.456375848.0000000003450000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/N
Source: loaddll32.exe, 00000000.00000003.505189315.0000000001151000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/Zm
Source: loaddll32.exe, 00000000.00000003.491368237.0000000001150000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/b
Source: loaddll32.exe, 00000000.00000003.608201796.000000000114A000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.825892438.0000000001143000.00000004.00000020.sdmp, rundll32.exe, 00000004.00000003.456375848.0000000003450000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/der
Source: loaddll32.exe, 00000000.00000003.459519197.0000000001158000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/derR
Source: loaddll32.exe, 00000000.00000002.825892438.0000000001143000.00000004.00000020.sdmp String found in binary or memory: https://45.77.0.96:6891/e
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.719411339.000000000114E000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.825892438.0000000001143000.00000004.00000020.sdmp, rundll32.exe, 00000004.00000002.855490130.0000000005463000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/graphy
Source: loaddll32.exe, 00000000.00000002.825892438.0000000001143000.00000004.00000020.sdmp, rundll32.exe, 00000004.00000003.456349641.0000000003414000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/h.dll
Source: loaddll32.exe, 00000000.00000003.459519197.0000000001158000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/h.dll9
Source: rundll32.exe, 00000004.00000003.508903560.0000000003450000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/h9
Source: loaddll32.exe, 00000000.00000003.608201796.000000000114A000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/k
Source: loaddll32.exe, 00000000.00000003.806756501.000000000114F000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/r
Source: rundll32.exe, 00000004.00000003.456375848.0000000003450000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/v
Source: rundll32.exe, 00000004.00000003.732236260.000000000339C000.00000004.00000001.sdmp String found in binary or memory: https://452.46.210.220/
Source: unknown HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E6839F9 InternetReadFile, 0_2_6E6839F9
Source: unknown HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.3:49747 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 3.3.rundll32.exe.53db55.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.104db55.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.2d6db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.321db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6e650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.2d6db55.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.321db55.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4dbdb55.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4dbdb55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.104db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.53db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.838096083.000000006E651000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.417154756.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.439012632.0000000002D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.869577587.000000006E651000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.431444346.0000000004DA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440875078.0000000001030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.415782949.0000000000520000.00000040.00000001.sdmp, type: MEMORY
Detected Dridex e-Banking trojan
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E6551A7 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo, 0_2_6E6551A7

System Summary:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Razy.980776.19803.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E6667C8 0_2_6E6667C8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E66A660 0_2_6E66A660
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E677660 0_2_6E677660
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E672E60 0_2_6E672E60
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E659E70 0_2_6E659E70
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E669E70 0_2_6E669E70
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E671240 0_2_6E671240
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E670220 0_2_6E670220
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E67D620 0_2_6E67D620
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E65CA10 0_2_6E65CA10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E67FA10 0_2_6E67FA10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E66F6E0 0_2_6E66F6E0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E668EF0 0_2_6E668EF0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E6762F0 0_2_6E6762F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E67FA10 0_2_6E67FA10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E673EC0 0_2_6E673EC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E656AD0 0_2_6E656AD0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E6696D0 0_2_6E6696D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E668AB0 0_2_6E668AB0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E6726B0 0_2_6E6726B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E671EB0 0_2_6E671EB0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E66AE80 0_2_6E66AE80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E66BF50 0_2_6E66BF50
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E671730 0_2_6E671730
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E673B00 0_2_6E673B00
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E679B10 0_2_6E679B10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E66B71F 0_2_6E66B71F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E66E3F0 0_2_6E66E3F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E6683C0 0_2_6E6683C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E667FC0 0_2_6E667FC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E677FC0 0_2_6E677FC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E671020 0_2_6E671020
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E66D030 0_2_6E66D030
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E6688C0 0_2_6E6688C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E668CC0 0_2_6E668CC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E65ACD0 0_2_6E65ACD0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E66A0D0 0_2_6E66A0D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E6698DA 0_2_6E6698DA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E66E0A0 0_2_6E66E0A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E674CA0 0_2_6E674CA0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E6750A0 0_2_6E6750A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E67DCA0 0_2_6E67DCA0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E675CB0 0_2_6E675CB0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E667564 0_2_6E667564
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E651570 0_2_6E651570
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E665DE8 0_2_6E665DE8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E6789F0 0_2_6E6789F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E6771F0 0_2_6E6771F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E66FDD0 0_2_6E66FDD0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E65F9A0 0_2_6E65F9A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E66D980 0_2_6E66D980
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E67D180 0_2_6E67D180
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E66C590 0_2_6E66C590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E69E210 4_2_6E69E210
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E6622A0 NtDelayExecution, 0_2_6E6622A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E67BE30 NtClose, 0_2_6E67BE30
Source: SecuriteInfo.com.Variant.Razy.980776.19803.dll Virustotal: Detection: 7%
Source: SecuriteInfo.com.Variant.Razy.980776.19803.dll ReversingLabs: Detection: 18%
Source: SecuriteInfo.com.Variant.Razy.980776.19803.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.19803.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.19803.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.19803.dll,Bluewing
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.19803.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.19803.dll,Earth
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.19803.dll,Masterjust
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.19803.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.19803.dll,Bluewing Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.19803.dll,Earth Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.19803.dll,Masterjust Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.19803.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal84.bank.troj.evad.winDLL@11/1@0/5
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.19803.dll,Bluewing
Source: SecuriteInfo.com.Variant.Razy.980776.19803.14094 Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: SecuriteInfo.com.Variant.Razy.980776.19803.dll Static file information: File size 1375232 > 1048576
Source: SecuriteInfo.com.Variant.Razy.980776.19803.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Variant.Razy.980776.19803.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Gun\208-town\521\exa\botto\party.pdb source: loaddll32.exe, 00000000.00000002.845974920.000000006E717000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.888666799.000000006E717000.00000002.00020000.sdmp, SecuriteInfo.com.Variant.Razy.980776.19803.dll

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_3_00F2A051 push ebp; ret 0_3_00F2A052
Source: C:\Windows\System32\loaddll32.exe Code function: 0_3_00F2A105 push 4796B4D2h; ret 0_3_00F2A205
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Contains functionality to query network adapater information
Source: C:\Windows\System32\loaddll32.exe Code function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo, 0_2_6E6551A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E663930 GetTokenInformation,GetTokenInformation,GetSystemInfo,GetTokenInformation, 0_2_6E663930
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E67CEF8 FindFirstFileExW, 0_2_6E67CEF8
Source: loaddll32.exe, 00000000.00000002.825892438.0000000001143000.00000004.00000020.sdmp, rundll32.exe, 00000004.00000003.732236260.000000000339C000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E6C97B0 IsDebuggerPresent,IsDebuggerPresent,CreateThread,std::_Timevec::_Timevec,WaitForSingleObjectEx, 4_2_6E6C97B0
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E6C8B60 __invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__cftoe,__aligned_msize,__invoke_watson_if_error,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__invoke_watson_if_error,__CrtDbgReportWV, 4_2_6E6C8B60
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E6C47C0 mov ecx, dword ptr fs:[00000030h] 4_2_6E6C47C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E79BA72 mov eax, dword ptr fs:[00000030h] 4_2_6E79BA72
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E79B64D push dword ptr fs:[00000030h] 4_2_6E79B64D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E79B942 mov eax, dword ptr fs:[00000030h] 4_2_6E79B942
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E666C50 KiUserExceptionDispatcher,LdrLoadDll, 0_2_6E666C50
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E667A60 RtlAddVectoredExceptionHandler, 0_2_6E667A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E6963A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E6963A0

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.77.0.96 235 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.56.219.47 180 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 192.46.210.220 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 143.244.140.214 40 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.19803.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.830495060.0000000001910000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.840491551.00000000037F0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.830495060.0000000001910000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.840491551.00000000037F0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.830495060.0000000001910000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.840491551.00000000037F0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.830495060.0000000001910000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.840491551.00000000037F0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E6E1E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E6E1F40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetACP,GetLocaleInfoW, 4_2_6E6E2750
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E6CBC30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E6E1DB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E6CB0B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_6E6E2960
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E662980 GetUserNameW, 0_2_6E662980
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510692 Sample: SecuriteInfo.com.Variant.Ra... Startdate: 28/10/2021 Architecture: WINDOWS Score: 84 28 Found malware configuration 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected Dridex unpacked file 2->32 34 C2 URLs / IPs found in malware configuration 2->34 7 loaddll32.exe 13 2->7         started        process3 signatures4 38 Detected Dridex e-Banking trojan 7->38 10 cmd.exe 1 7->10         started        12 rundll32.exe 7->12         started        14 rundll32.exe 7->14         started        16 rundll32.exe 7->16         started        process5 process6 18 rundll32.exe 12 10->18         started        dnsIp7 22 185.56.219.47, 49753, 49755, 49761 KELIWEBIT Italy 18->22 24 192.46.210.220, 443, 49744, 49747 FRAUNHOFER-CLUSTER-BWResearchInstitutesspreadalloverGe United States 18->24 26 3 other IPs or domains 18->26 36 System process connects to network (likely due to code injection or exploit) 18->36 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.77.0.96
 unknown United States
20473 AS-CHOOPAUS true
185.56.219.47
 unknown Italy
202675 KELIWEBIT true
192.46.210.220
 unknown United States
5501 FRAUNHOFER-CLUSTER-BWResearchInstitutesspreadalloverGe true
143.244.140.214
 unknown United States
174 COGENT-174US true

Private
IP
192.168.2.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://192.46.210.220/ true
  • URL Reputation: safe
 unknown