Windows Analysis Report
Updater.dll.dll

Overview

General Information

Sample name: Updater.dll.dll
(renamed file extension from exe to dll)
Original sample name: Updater.dll.exe
Analysis ID: 1541407
MD5: 80cd37d9eb33507bf054f32ce2380b09
SHA1: 6e8d57dde537ace0639931569ae2b04b9cb99a26
SHA256: f47144c7159be31d8116fdc36b66cb72c917cd91a4bbe9eaa55dec929c1cffdd
Tags: exeuser-pr0xylife
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Found evasive API chain (may stop execution after checking mutex)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.7% probability
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49802 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49808 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57967 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57974 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57981 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57987 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57989 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57995 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58002 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58010 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58019 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58025 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58031 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58037 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58043 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58048 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58054 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58060 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58066 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58072 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58078 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58084 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58090 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58096 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58102 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58108 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58114 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58120 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58126 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58135 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58141 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58147 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58153 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58159 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58165 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58171 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58179 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58185 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58190 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58196 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58198 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58199 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58200 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58201 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58202 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58203 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58204 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58205 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58206 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58207 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58208 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58209 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58210 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58211 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58212 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58213 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58214 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58215 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58216 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58217 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58218 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58219 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58220 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58221 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58222 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58223 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58224 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58225 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58226 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58227 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58228 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58229 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58230 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58231 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58232 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58233 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58234 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58235 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58236 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58237 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58238 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58239 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58240 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58241 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58242 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58243 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58244 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58245 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58246 version: TLS 1.2
Source: Updater.dll.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F713A0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,sprintf_s,FindFirstFileW,FindNextFileW,FindClose, 7_2_00007FF8B8F713A0

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 185.161.251.26 443 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NTLGB NTLGB
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49709 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49704 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49708 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49712 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49713 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49715 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49705 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49710 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49706 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49707 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49743 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49736 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49722 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49719 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49778 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49711 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49802 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49760 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49761 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49729 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:57974 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49808 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49772 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49790 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49714 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58002 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58010 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49716 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58031 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:57987 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:57989 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49796 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:57981 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58048 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58066 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58078 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49742 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:57995 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58072 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58037 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58084 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58108 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58025 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58090 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49784 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58043 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58054 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49754 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58153 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58126 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58147 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58120 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58171 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58165 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58096 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58135 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58159 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58179 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58196 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58198 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58114 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58190 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58201 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58202 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58204 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58224 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58199 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58210 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58185 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58220 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58200 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58205 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58213 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58232 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58230 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58217 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58237 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58239 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58221 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58060 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58216 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58019 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58241 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58243 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58223 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58222 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58235 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58229 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58203 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58226 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58215 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58218 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58234 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58233 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58206 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58245 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58246 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58228 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58227 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58208 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58211 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58236 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:57967 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58209 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58238 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58244 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58219 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58240 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58225 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58242 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58212 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58214 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58102 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58141 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58207 -> 185.161.251.26:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58231 -> 185.161.251.26:443
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F71C40 LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,SetLastError,HttpSendRequestW,GetLastError,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 7_2_00007FF8B8F71C40
Source: global traffic DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: rundll32.exe, 00000007.00000002.3297802931.0000015144241000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2945698785.0000015144266000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/
Source: rundll32.exe, 00000007.00000002.3297474319.00000151441B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/(
Source: rundll32.exe, 00000007.00000003.3027867820.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/0
Source: rundll32.exe, 00000007.00000003.2956428842.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2967607764.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2977904730.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/0J#DQ
Source: rundll32.exe, 00000007.00000003.2956428842.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/0Y#DQ
Source: rundll32.exe, 00000007.00000003.2381677338.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2369713552.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/161.251.26/
Source: rundll32.exe, 00000007.00000003.2159208682.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/5
Source: rundll32.exe, 00000007.00000003.2935954962.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/7
Source: rundll32.exe, 00000007.00000003.2149114154.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2159208682.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/;~
Source: rundll32.exe, 00000007.00000003.3179742057.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/G
Source: rundll32.exe, 00000007.00000003.2222366885.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2212351056.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2149114154.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2159208682.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2088598849.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2232539180.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2192829265.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/K
Source: rundll32.exe, 00000007.00000002.3297474319.00000151441B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/L
Source: rundll32.exe, 00000007.00000002.3297802931.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/LMEM
Source: rundll32.exe, 00000007.00000003.2392771122.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2402775016.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2381677338.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/P
Source: rundll32.exe, 00000007.00000003.3027867820.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3179742057.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/PW#DQ
Source: rundll32.exe, 00000007.00000003.2222366885.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2935954962.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2232539180.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2945959181.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/T
Source: rundll32.exe, 00000007.00000003.2149114154.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2159208682.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/Y
Source: rundll32.exe, 00000007.00000003.2392771122.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2402775016.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2381677338.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2369713552.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2192829265.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/aenh.dll
Source: rundll32.exe, 00000007.00000003.2232539180.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/aenh.dll(DQ
Source: rundll32.exe, 00000007.00000003.2222366885.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2212351056.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2381677338.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2192829265.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/gits
Source: rundll32.exe, 00000007.00000003.2935954962.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2945959181.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/k
Source: rundll32.exe, 00000007.00000003.2956428842.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2149114154.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2967607764.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3179742057.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/nd
Source: rundll32.exe, 00000007.00000003.3027867820.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/nh.dllD
Source: rundll32.exe, 00000007.00000002.3297802931.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/o
Source: rundll32.exe, 00000007.00000003.2381677338.0000015144266000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2966352070.0000015144266000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2977904730.0000015144266000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2956428842.0000015144266000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/ography
Source: rundll32.exe, 00000007.00000003.2149114154.0000015144266000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/r
Source: rundll32.exe, 00000007.00000003.2780780539.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3027867820.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3297802931.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3179742057.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/s
Source: rundll32.exe, 00000007.00000003.2192829265.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2945959181.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/vider
Source: rundll32.exe, 00000007.00000003.2392771122.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2369713552.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/viderG
Source: rundll32.exe, 00000007.00000003.2232539180.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/viderY
Source: rundll32.exe, 00000007.00000003.2392771122.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2402775016.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3297802931.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/viderw
Source: rundll32.exe, 00000007.00000003.2780780539.0000015144279000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.161.251.26/w
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58054 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 58031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 58220 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58243 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58219
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58216
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58215
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58218
Source: unknown Network traffic detected: HTTP traffic on port 58019 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58217
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58102
Source: unknown Network traffic detected: HTTP traffic on port 58208 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58223
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58222
Source: unknown Network traffic detected: HTTP traffic on port 57989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58225
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58224
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58221
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58220
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58060 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58225 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58072 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58227
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58226
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58108
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58229
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58228
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58234
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58233
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58236
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58114
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58235
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58230
Source: unknown Network traffic detected: HTTP traffic on port 57995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58231 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58232
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58231
Source: unknown Network traffic detected: HTTP traffic on port 58048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 58214 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 58226 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58203 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58238
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58237
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58239
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58245
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58002
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58244
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58126
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58246
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58120
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58241
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58240
Source: unknown Network traffic detected: HTTP traffic on port 58232 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58243
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58242
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 58078 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58135 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58141 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58135
Source: unknown Network traffic detected: HTTP traffic on port 58090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58010
Source: unknown Network traffic detected: HTTP traffic on port 58237 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 58209 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 58084 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 58025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 58096 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58215 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58227 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58196 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 58221 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 58238 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58204 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58185 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58210 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58222 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 58216 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58239 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58201
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58200
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58203
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58202
Source: unknown Network traffic detected: HTTP traffic on port 58179 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58190 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 58244 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58209
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58208
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58205
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58204
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58207
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58206
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58212
Source: unknown Network traffic detected: HTTP traffic on port 58233 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58211
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58214
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58213
Source: unknown Network traffic detected: HTTP traffic on port 58205 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58210
Source: unknown Network traffic detected: HTTP traffic on port 58211 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58185
Source: unknown Network traffic detected: HTTP traffic on port 58102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58066
Source: unknown Network traffic detected: HTTP traffic on port 58234 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58060
Source: unknown Network traffic detected: HTTP traffic on port 58246 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58217 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58200 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58196
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58199
Source: unknown Network traffic detected: HTTP traffic on port 58228 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58198
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58190
Source: unknown Network traffic detected: HTTP traffic on port 58245 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58206 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58229 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58084
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 58223 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58240 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 58212 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58096
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58090
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58224 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58218 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57967
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58201 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58019
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58025
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58147
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58141
Source: unknown Network traffic detected: HTTP traffic on port 58230 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58242 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57974
Source: unknown Network traffic detected: HTTP traffic on port 58147 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58159
Source: unknown Network traffic detected: HTTP traffic on port 58199 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58126 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58037
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58153
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58031
Source: unknown Network traffic detected: HTTP traffic on port 58207 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 58235 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58153 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 58241 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57989
Source: unknown Network traffic detected: HTTP traffic on port 58010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57987
Source: unknown Network traffic detected: HTTP traffic on port 58037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58198 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58066 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58048
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58043
Source: unknown Network traffic detected: HTTP traffic on port 58236 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58165
Source: unknown Network traffic detected: HTTP traffic on port 58213 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58043 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58114 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58219 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58120 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58202 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58179
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58054
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58171
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58159 -> 443
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49802 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49808 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57967 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57974 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57981 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57987 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57989 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57995 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58002 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58010 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58019 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58025 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58031 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58037 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58043 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58048 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58054 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58060 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58066 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58072 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58078 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58084 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58090 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58096 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58102 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58108 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58114 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58120 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58126 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58135 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58141 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58147 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58153 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58159 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58165 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58171 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58179 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58185 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58190 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58196 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58198 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58199 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58200 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58201 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58202 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58203 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58204 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58205 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58206 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58207 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58208 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58209 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58210 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58211 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58212 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58213 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58214 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58215 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58216 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58217 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58218 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58219 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58220 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58221 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58222 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58223 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58224 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58225 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58226 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58227 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58228 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58229 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58230 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58231 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58232 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58233 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58234 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58235 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58236 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58237 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58238 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58239 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58240 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58241 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58242 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58243 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58244 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58245 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58246 version: TLS 1.2
Creates files inside the system directory
Source: C:\Windows\System32\loaddll64.exe File created: C:\Windows\Tasks\Spiralogics.job Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Tasks\Talespin.job Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Tasks\Ventuso LLC.job Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Tasks\SnapMobile.job Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\loaddll64.exe File deleted: C:\Windows\Tasks\SnapMobile.job Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F71C40 7_2_00007FF8B8F71C40
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F745E0 7_2_00007FF8B8F745E0
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F72C40 7_2_00007FF8B8F72C40
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F768A0 7_2_00007FF8B8F768A0
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F818C0 7_2_00007FF8B8F818C0
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F83508 7_2_00007FF8B8F83508
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F7B310 7_2_00007FF8B8F7B310
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F73F30 7_2_00007FF8B8F73F30
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F7CD38 7_2_00007FF8B8F7CD38
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F82D5C 7_2_00007FF8B8F82D5C
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F75160 7_2_00007FF8B8F75160
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F78F68 7_2_00007FF8B8F78F68
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F73170 7_2_00007FF8B8F73170
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F82578 7_2_00007FF8B8F82578
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F71990 7_2_00007FF8B8F71990
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F7EFB0 7_2_00007FF8B8F7EFB0
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F821C8 7_2_00007FF8B8F821C8
Source: classification engine Classification label: mal56.evad.winDLL@19/12@1/1
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F77740 CoInitializeEx,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,SysAllocString,SysAllocString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize, 7_2_00007FF8B8F77740
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1172:120:WilError_03
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\461592c6-32a2-4a5a-9542-783ba1348002
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\5bba9e40-0e32-4b7f-b39a-667bbc0c2293
Source: C:\Windows\System32\rundll32.exe Mutant created: \BaseNamedObjects\5bba9e40-0e32-4b7f-b39a-667bbc0c2293
Source: Updater.dll.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllGetClassObject
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\Updater.dll.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Updater.dll.dll
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllGetClassObject
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Talespin\Updater.dll",Start /u
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServer
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Ventuso LLC\Updater.dll",Start /u
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServerEx
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\SnapMobile\Updater.dll",Start /u
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Spiralogics\Updater.dll",Start /u
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Spiralogics\Updater.dll",Start /u
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Updater.dll.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllGetClassObject Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServerEx Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Updater.dll.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: Updater.dll.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Updater.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Updater.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Updater.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Updater.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Updater.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F75A20 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,GetSystemInfo,GetSystemMetrics, 7_2_00007FF8B8F75A20
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Updater.dll.dll
Drops PE files
Source: C:\Windows\System32\rundll32.exe File created: C:\ProgramData\SnapMobile\Updater.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\ProgramData\Ventuso LLC\Updater.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\ProgramData\Talespin\Updater.dll Jump to dropped file
Source: C:\Windows\System32\loaddll64.exe File created: C:\ProgramData\Spiralogics\Updater.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\rundll32.exe File created: C:\ProgramData\SnapMobile\Updater.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\ProgramData\Ventuso LLC\Updater.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\ProgramData\Talespin\Updater.dll Jump to dropped file
Source: C:\Windows\System32\loaddll64.exe File created: C:\ProgramData\Spiralogics\Updater.dll Jump to dropped file
Creates job files (autostart)
Source: C:\Windows\System32\loaddll64.exe File created: C:\Windows\Tasks\Spiralogics.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F75E70 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress, 7_2_00007FF8B8F75E70
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\System32\rundll32.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 9565 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\ProgramData\SnapMobile\Updater.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\ProgramData\Ventuso LLC\Updater.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\ProgramData\Talespin\Updater.dll Jump to dropped file
Source: C:\Windows\System32\loaddll64.exe Dropped PE file which has not been started: C:\ProgramData\Spiralogics\Updater.dll Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\System32\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 2964 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6760 Thread sleep count: 294 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6760 Thread sleep time: -294000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6760 Thread sleep count: 9565 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6760 Thread sleep time: -9565000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F713A0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,sprintf_s,FindFirstFileW,FindNextFileW,FindClose, 7_2_00007FF8B8F713A0
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F75A20 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,GetSystemInfo,GetSystemMetrics, 7_2_00007FF8B8F75A20
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: rundll32.exe, 00000007.00000002.3297474319.00000151441FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.3297474319.00000151441B2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F78C1C __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException, 7_2_00007FF8B8F78C1C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F8036C EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 7_2_00007FF8B8F8036C
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F75A20 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,GetSystemInfo,GetSystemMetrics, 7_2_00007FF8B8F75A20
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F75980 GetProcessHeap,HeapAlloc, 7_2_00007FF8B8F75980
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F7C538 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00007FF8B8F7C538

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 185.161.251.26 443 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F7BDA8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 7_2_00007FF8B8F7BDA8
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F745E0 GetVolumeInformationW,GetModuleHandleW,GetComputerNameW,GetModuleHandleW,GetComputerNameExW,GetModuleHandleW,GetUserNameW,GetModuleHandleW,OpenMutexW,CloseHandle,GetModuleHandleW,GetTickCount,SleepEx, 7_2_00007FF8B8F745E0
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_00007FF8B8F75A20 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,GetSystemInfo,GetSystemMetrics, 7_2_00007FF8B8F75A20
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541407 Sample: Updater.dll.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 56 39 171.39.242.20.in-addr.arpa 2->39 43 AI detected suspicious sample 2->43 8 rundll32.exe 6 2->8         started        12 loaddll64.exe 5 2->12         started        15 rundll32.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 41 185.161.251.26, 443, 49704, 49705 NTLGB United Kingdom 8->41 47 System process connects to network (likely due to code injection or exploit) 8->47 37 C:\ProgramData\Spiralogics\Updater.dll, PE32+ 12->37 dropped 19 rundll32.exe 4 12->19         started        23 rundll32.exe 4 12->23         started        25 rundll32.exe 4 12->25         started        27 3 other processes 12->27 file6 signatures7 process8 file9 31 C:\ProgramData\Talespin\Updater.dll, PE32+ 19->31 dropped 45 Found evasive API chain (may stop execution after checking mutex) 19->45 33 C:\ProgramData\SnapMobile\Updater.dll, PE32+ 23->33 dropped 35 C:\ProgramData\Ventuso LLC\Updater.dll, PE32+ 25->35 dropped 29 rundll32.exe 27->29         started        signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.161.251.26
 unknown United Kingdom
5089 NTLGB true

Contacted Domains

Name IP Active
171.39.242.20.in-addr.arpa unknown unknown