Windows Analysis Report SecuriteInfo.com.Variant.Razy.980776.5008.1370

AV Detection:

Found malware configuration

Source: 0.3.loaddll32.exe.113db55.0.raw.unpack

Malware Configuration Extractor: Dridex {"Version": 10444, "C2 list": ["192.46.210.220:443", "143.244.140.214:808", "45.77.0.96:6891", "185.56.219.47:8116"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "syF7NqCylLS878kcIy9w5XeI8w6uMrqVwowz4h3uWHHlWsr5ELTiXic3wgqbllkcZyNGwPGihI"]}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Razy.980776.5008.dll

ReversingLabs: Detection: 20%

Compliance:

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.Razy.980776.5008.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.4:49772 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SecuriteInfo.com.Variant.Razy.980776.5008.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:

Binary string: c:\Gun\208-town\521\exa\botto\party.pdb source: loaddll32.exe, 00000000.00000002.1193920617.000000006E587000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1195365441.000000006E587000.00000002.00020000.sdmp, SecuriteInfo.com.Variant.Razy.980776.5008.dll

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4ECEF8 FindFirstFileExW,

0_2_6E4ECEF8

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.77.0.96 235			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.56.219.47 180			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.46.210.220 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 143.244.140.214 40			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 192.46.210.220:443
Source: Malware configuration extractor	IPs: 143.244.140.214:808
Source: Malware configuration extractor	IPs: 45.77.0.96:6891
Source: Malware configuration extractor	IPs: 185.56.219.47:8116

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: KELIWEBIT KELIWEBIT

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4853Connection: CloseCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 45.77.0.96 45.77.0.96
Source: Joe Sandbox View	IP Address: 185.56.219.47 185.56.219.47

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49773 -> 143.244.140.214:808
Source: global traffic	TCP traffic: 192.168.2.4:49789 -> 45.77.0.96:6891
Source: global traffic	TCP traffic: 192.168.2.4:49791 -> 185.56.219.47:8116

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50219
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50139 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50179
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50211
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 50219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50227
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50186
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50187
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50193
Source: unknown	Network traffic detected: HTTP traffic on port 50162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 50227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 50195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50147 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50139
Source: unknown	Network traffic detected: HTTP traffic on port 50170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50138
Source: unknown	Network traffic detected: HTTP traffic on port 50193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50131
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown	Network traffic detected: HTTP traffic on port 50187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 50123 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50209 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50146
Source: unknown	Network traffic detected: HTTP traffic on port 50201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 50226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50147
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50155
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50162
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50209
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50163
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50201
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50203
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50170
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:06:59 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:01 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:07 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:07 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:10 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:11 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:14 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:15 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:18 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:19 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:22 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:23 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:27 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:27 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:31 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:31 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:35 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:35 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:38 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:39 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:42 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:43 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:46 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:46 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:50 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:50 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:54 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:54 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:58 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:07:58 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:01 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:01 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:05 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:05 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:09 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:09 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:13 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:13 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:17 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:17 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:20 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:21 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:24 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:25 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:28 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:29 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:32 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:33 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:36 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:36 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:40 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:40 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:44 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:44 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:48 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:48 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:52 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:52 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:56 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:08:56 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:00 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:00 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:04 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:04 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:08 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:08 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:12 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:12 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:16 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:16 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:19 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:20 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:23 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:24 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:27 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:27 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:31 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:31 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:35 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:35 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:39 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:39 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:42 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:43 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:47 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:47 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:51 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:51 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:54 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:55 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:58 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:09:59 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:10:03 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:10:03 GMTContent-Type: text/plain; charset=utf-8Connection: close

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.77.0.96

URLs found in memory or binary data

Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.3.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000003.800119859.0000000005151000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799281472.000000000514F000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?75268022b6a29
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214/
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214/c
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.855700484.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/
Source: loaddll32.exe, 00000000.00000003.816913953.000000000142C000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/%
Source: loaddll32.exe, 00000000.00000003.1178896990.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/.140.214:808/hy
Source: loaddll32.exe, 00000000.00000003.904619445.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/0
Source: loaddll32.exe, 00000000.00000003.816913953.000000000142C000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/1
Source: loaddll32.exe, 00000000.00000003.1012124189.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/My
Source: loaddll32.exe, 00000000.00000003.920743516.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/P
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/S
Source: loaddll32.exe, 00000000.00000002.1192983673.000000000142B000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000003.860275635.000000000142A000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/em32
Source: loaddll32.exe, 00000000.00000003.1012124189.000000000142B000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1045448367.000000000142B000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.860275635.000000000142A000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/hy
Source: loaddll32.exe, 00000000.00000003.1045448367.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/l
Source: loaddll32.exe, 00000000.00000003.1063082745.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/ll
Source: loaddll32.exe, 00000000.00000002.1192983673.000000000142B000.00000004.00000020.sdmp	String found in binary or memory: https://143.244.140.214:808/ll1
Source: loaddll32.exe, 00000000.00000003.1012124189.000000000142B000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.920743516.0000000001429000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1028569401.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/oft
Source: loaddll32.exe, 00000000.00000003.855700484.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/v
Source: loaddll32.exe, 00000000.00000003.855700484.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://143.244.140.214:808/w
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47/
Source: loaddll32.exe, 00000000.00000003.811547591.000000000142C000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47/F
Source: loaddll32.exe, 00000000.00000003.811547591.000000000142C000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47/N
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1096183295.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/
Source: loaddll32.exe, 00000000.00000003.904619445.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/%
Source: loaddll32.exe, 00000000.00000003.837199003.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/&
Source: loaddll32.exe, 00000000.00000003.1096183295.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/0
Source: loaddll32.exe, 00000000.00000003.806428262.000000000142C000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/4.140.214:808/
Source: loaddll32.exe, 00000000.00000003.1045448367.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/853
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/C
Source: loaddll32.exe, 00000000.00000003.1096183295.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/D
Source: loaddll32.exe, 00000000.00000003.904619445.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/ES
Source: loaddll32.exe, 00000000.00000003.828785020.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/P
Source: loaddll32.exe, 00000000.00000003.953795452.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/Ps%
Source: loaddll32.exe, 00000000.00000003.995531404.0000000001428000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/oft
Source: loaddll32.exe, 00000000.00000003.1012124189.000000000142B000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.1192983673.000000000142B000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000003.1045448367.000000000142B000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1178896990.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://185.56.219.47:8116/soft
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1012124189.000000000142B000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.970321561.0000000001429000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.1194600161.000000000514E000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/#
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/$
Source: loaddll32.exe, 00000000.00000003.920743516.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/)
Source: loaddll32.exe, 00000000.00000003.1012124189.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/-
Source: loaddll32.exe, 00000000.00000002.1192983673.000000000142B000.00000004.00000020.sdmp	String found in binary or memory: https://192.46.210.220/1
Source: loaddll32.exe, 00000000.00000003.937380465.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/5
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/9
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1012124189.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/Certification
Source: loaddll32.exe, 00000000.00000003.1012124189.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/E
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1096183295.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/GlobalSign
Source: loaddll32.exe, 00000000.00000003.1012124189.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/Google
Source: loaddll32.exe, 00000000.00000003.1012124189.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/L
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/N
Source: loaddll32.exe, 00000000.00000003.1012124189.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/O
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/W
Source: loaddll32.exe, 00000000.00000003.904619445.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/aenh.dll
Source: loaddll32.exe, 00000000.00000003.828785020.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/aenh.dllz
Source: loaddll32.exe, 00000000.00000003.1012124189.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/coro8
Source: loaddll32.exe, 00000000.00000003.1096183295.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/i
Source: loaddll32.exe, 00000000.00000003.1012124189.000000000142B000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1096183295.000000000142B000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.1192983673.000000000142B000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000002.1194600161.000000000514E000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/ography
Source: loaddll32.exe, 00000000.00000003.855700484.000000000142B000.00000004.00000001.sdmp	String found in binary or memory: https://192.46.210.220/r
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96/
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1096183295.000000000142B000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.860275635.000000000142A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.1194600161.000000000514E000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96:6891/
Source: loaddll32.exe, 00000000.00000003.1045448367.000000000142B000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.1194600161.000000000514E000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96:6891/.0.96:6891/
Source: rundll32.exe, 00000003.00000002.1192429006.000000000099C000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96:6891/1$
Source: loaddll32.exe, 00000000.00000003.860275635.000000000142A000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96:6891/C
Source: loaddll32.exe, 00000000.00000003.896445896.0000000001429000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1045448367.000000000142B000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.953795452.0000000001429000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96:6891/Microsoft
Source: rundll32.exe, 00000003.00000002.1194600161.000000000514E000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96:6891/graphy
Source: rundll32.exe, 00000003.00000002.1194600161.000000000514E000.00000004.00000001.sdmp	String found in binary or memory: https://45.77.0.96:6891/h.dlln

Posts data to webserver

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4865Connection: CloseCache-Control: no-cache

Contains functionality to download additional files from the internet

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4F39F9 InternetReadFile,

0_2_6E4F39F9

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.4:49772 version: TLS 1.2

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 3.3.rundll32.exe.2f5db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.468db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.113db55.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.468db55.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.113db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.445db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2d5db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2f5db55.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.445db55.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2d5db55.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1194868368.000000006E4C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.766529856.0000000002F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.765489662.0000000004670000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.779791327.0000000002D40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.790137281.0000000001120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1193417410.000000006E4C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.787445513.0000000004440000.00000040.00000001.sdmp, type: MEMORY

Detected Dridex e-Banking trojan

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4C51A7 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,

0_2_6E4C51A7

System Summary:

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.Razy.980776.5008.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D67C8		0_2_6E4D67C8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E1240		0_2_6E4E1240
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DA660		0_2_6E4DA660
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E7660		0_2_6E4E7660
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E2E60		0_2_6E4E2E60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C9E70		0_2_6E4C9E70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D9E70		0_2_6E4D9E70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4CCA10		0_2_6E4CCA10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4EFA10		0_2_6E4EFA10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E0220		0_2_6E4E0220
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4ED620		0_2_6E4ED620
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4EFA10		0_2_6E4EFA10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E3EC0		0_2_6E4E3EC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C6AD0		0_2_6E4C6AD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D96D0		0_2_6E4D96D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DF6E0		0_2_6E4DF6E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D8EF0		0_2_6E4D8EF0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DB6F0		0_2_6E4DB6F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E62F0		0_2_6E4E62F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DAE80		0_2_6E4DAE80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D8AB0		0_2_6E4D8AB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E26B0		0_2_6E4E26B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E1EB0		0_2_6E4E1EB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DBF50		0_2_6E4DBF50
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D5B60		0_2_6E4D5B60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4CAF7F		0_2_6E4CAF7F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E3B00		0_2_6E4E3B00
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E9B10		0_2_6E4E9B10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E1730		0_2_6E4E1730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D83C0		0_2_6E4D83C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D7FC0		0_2_6E4D7FC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E7FC0		0_2_6E4E7FC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DE3F0		0_2_6E4DE3F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C1784		0_2_6E4C1784
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E1020		0_2_6E4E1020
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DD030		0_2_6E4DD030
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D88C0		0_2_6E4D88C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D8CC0		0_2_6E4D8CC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D98DA		0_2_6E4D98DA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DA0D0		0_2_6E4DA0D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DE0A0		0_2_6E4DE0A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E4CA0		0_2_6E4E4CA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E50A0		0_2_6E4E50A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4EDCA0		0_2_6E4EDCA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E5CB0		0_2_6E4E5CB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D7564		0_2_6E4D7564
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DFDD0		0_2_6E4DFDD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E89F0		0_2_6E4E89F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E71F0		0_2_6E4E71F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DD980		0_2_6E4DD980
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4ED180		0_2_6E4ED180
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DC590		0_2_6E4DC590
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4CF9A0		0_2_6E4CF9A0

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D22A0 NtDelayExecution,		0_2_6E4D22A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4EBE30 NtClose,		0_2_6E4EBE30

Sample is known by Antivirus

Source: SecuriteInfo.com.Variant.Razy.980776.5008.dll

ReversingLabs: Detection: 20%

PE file has an executable .text section and no other executable section

Source: SecuriteInfo.com.Variant.Razy.980776.5008.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.5008.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.5008.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.5008.dll,Bluewing
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.5008.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.5008.dll,Earth
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.5008.dll,Masterjust
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.5008.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.5008.dll,Bluewing			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.5008.dll,Earth			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.5008.dll,Masterjust			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.5008.dll',#1			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Classification label

Source: classification engine

Classification label: mal84.bank.troj.evad.winDLL@11/2@0/4

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.5008.dll,Bluewing

Found detection on Joe Sandbox Cloud Basic with higher score

Source: SecuriteInfo.com.Variant.Razy.980776.5008.1370

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Reads the hosts file

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Submission file is bigger than most known malware samples

Source: SecuriteInfo.com.Variant.Razy.980776.5008.dll

Static file information: File size 1375232 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SecuriteInfo.com.Variant.Razy.980776.5008.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: SecuriteInfo.com.Variant.Razy.980776.5008.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:

Binary string: c:\Gun\208-town\521\exa\botto\party.pdb source: loaddll32.exe, 00000000.00000002.1193920617.000000006E587000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1195365441.000000006E587000.00000002.00020000.sdmp, SecuriteInfo.com.Variant.Razy.980776.5008.dll

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Contains functionality to query network adapater information

Source: C:\Windows\System32\loaddll32.exe

Code function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,

0_2_6E4C51A7

Contains functionality to query system information

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4D3930 GetTokenInformation,GetTokenInformation,GetSystemInfo,GetTokenInformation,

0_2_6E4D3930

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4ECEF8 FindFirstFileExW,

0_2_6E4ECEF8

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: loaddll32.exe, 00000000.00000002.1192967377.000000000141E000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E5397B0 IsDebuggerPresent,IsDebuggerPresent,CreateThread,std::_Timevec::_Timevec,WaitForSingleObjectEx,

3_2_6E5397B0

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E538B60 __invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__cftoe,__aligned_msize,__invoke_watson_if_error,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__invoke_watson_if_error,__CrtDbgReportWV,

3_2_6E538B60

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E5347C0 mov ecx, dword ptr fs:[00000030h]		3_2_6E5347C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E60BA72 mov eax, dword ptr fs:[00000030h]		3_2_6E60BA72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E60B64D push dword ptr fs:[00000030h]		3_2_6E60B64D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E60B942 mov eax, dword ptr fs:[00000030h]		3_2_6E60B942

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4D6C50 KiUserExceptionDispatcher,LdrLoadDll,

0_2_6E4D6C50

Contains functionality to register its own exception handler

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D7A60 RtlAddVectoredExceptionHandler,		0_2_6E4D7A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E5063A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6E5063A0

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.77.0.96 235			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.56.219.47 180			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.46.210.220 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 143.244.140.214 40			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.5008.dll',#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000002.1193139595.0000000001BE0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1193661861.00000000033E0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1193139595.0000000001BE0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1193661861.00000000033E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1193139595.0000000001BE0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1193661861.00000000033E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1193139595.0000000001BE0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1193661861.00000000033E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6E551E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetACP,GetLocaleInfoW,		3_2_6E552750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6E551F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		3_2_6E53BC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6E53B0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		3_2_6E552960
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6E551DB0

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query the account / user name

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4D2980 GetUserNameW,

0_2_6E4D2980