Loading ...

Play interactive tourEdit tour

Analysis Report INV9698791470-20210111920647.xlsm

Overview

General Information

Sample Name:INV9698791470-20210111920647.xlsm
Analysis ID:338095
MD5:9b7c2b0abf5478ef9a23d9a9e87c7835
SHA1:6931c4b845a8a952699d9cf85b316e3b3d826a41
SHA256:a463f9a8842a5c947abaa2bff1b621835ff35f65f9d3272bf1fa5197df9f07d0

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Dridex e-Banking trojan
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query network adapater information
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the installation date of Windows
Registers a DLL
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2432 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 1552 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\deibsjhv.dll. MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 1108 cmdline: -s C:\Users\user\AppData\Local\Temp\deibsjhv.dll. MD5: 432BE6CF7311062633459EEF6B242FB5)
    • DW20.EXE (PID: 2460 cmdline: 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1804 MD5: 45A078B2967E0797360A2D4434C41DB4)
      • DWWIN.EXE (PID: 2452 cmdline: C:\Windows\system32\dwwin.exe -x -s 1804 MD5: 25247E3C4E7A7A73BAEEA6C0008952B1)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 10444", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 4", "77.220.64.37:443", "80.86.91.27:3308", "5.100.228.233:3389", "46.105.131.65:1512"]}

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: BlueMashroom DLL LoadShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\deibsjhv.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\deibsjhv.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2432, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\deibsjhv.dll., ProcessId: 1552
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\deibsjhv.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\deibsjhv.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2432, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\deibsjhv.dll., ProcessId: 1552
Sigma detected: Regsvr32 AnomalyShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\deibsjhv.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\deibsjhv.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2432, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\deibsjhv.dll., ProcessId: 1552

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: 4.2.regsvr32.exe.460000.2.unpackMalware Configuration Extractor: Dridex {"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 10444", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 4", "77.220.64.37:443", "80.86.91.27:3308", "5.100.228.233:3389", "46.105.131.65:1512"]}
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\eb3kd1le[1].zipReversingLabs: Detection: 32%
Source: C:\Users\user\AppData\Local\Temp\deibsjhv.dllReversingLabs: Detection: 32%
Multi AV Scanner detection for submitted fileShow sources
Source: INV9698791470-20210111920647.xlsmVirustotal: Detection: 29%Perma Link
Source: INV9698791470-20210111920647.xlsmReversingLabs: Detection: 17%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\deibsjhv.dllJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\eb3kd1le[1].zipJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49177 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49181 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49185 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49189 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49193 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49197 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49201 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49205 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49209 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49213 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49217 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49221 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49226 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49231 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49235 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49239 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49243 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49247 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49251 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49255 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49259 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49263 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49267 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49271 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49275 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49279 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49283 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49287 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49291 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49295 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49299 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49303 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49307 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49311 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49315 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49319 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49323 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49327 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49331 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49335 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49339 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49343 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49347 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49351 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49355 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49359 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49363 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49367 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49371 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49375 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49379 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49383 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49387 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49391 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49395 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49399 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49403 version: TLS 1.2
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0048CEF8 FindFirstFileExW,4_2_0048CEF8

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\deibsjhv.dllJump to behavior
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: eb3kd1le[1].zip.0.drJump to dropped file
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exeJump to behavior
Source: global trafficDNS query: name: inmindppe.com
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 77.220.64.37:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 160.153.133.116:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49168
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49170
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49171
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49171
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49173
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49174
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49175
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49175
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49177
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49178
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49179
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49179
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49181
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49182
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49183
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49183
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49185
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49186
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49187
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49187
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49189
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49190
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49191
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49191
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49193
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49194
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49195
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49195
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49197
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49198
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49199
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49199
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49201
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49202
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49203
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49203
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49205
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49206
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49207
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49207
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49209
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49210
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49211
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49211
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49213
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49214
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49215
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49215
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49217
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49218
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49219
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49219
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49221
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49222
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49223
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49223
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49226
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49228
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49229
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49229
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49231
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49232
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49233
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49233
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49235
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49236
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49237
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49237
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49239
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49240
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49241
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49241
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49243
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49244
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49245
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49245
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49247
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49248
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49249
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49249
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49251
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49252
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49253
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49253
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49255
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49256
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49257
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49257
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49259
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49260
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49261
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49261
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49263
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49264
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49265
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49265
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49267
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49268
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49269
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49269
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49271
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49272
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49273
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49273
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49275
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49276
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49277
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49277
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49279
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49280
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49281
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49281
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49283
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49284
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49285
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49285
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49287
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49288
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49289
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49289
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49291
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49292
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49293
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49293
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49295
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49296
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49297
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49297
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49299
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49300
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49301
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49301
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49303
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49304
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49305
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49305
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49307
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49308
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49309
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49309
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49311
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49312
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49313
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49313
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49315
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49316
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49317
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49317
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49319
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49320
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49321
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49321
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49323
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49324
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49325
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49325
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49327
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49328
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49329
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49329
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49331
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49332
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49333
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49333
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49335
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49336
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49337
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49337
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49339
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49340
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49341
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49341
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49343
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49344
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49345
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49345
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49347
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49348
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49349
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49349
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49351
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49352
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49353
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49353
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49355
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49356
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49357
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49357
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49359
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49360
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49361
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49361
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49363
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49364
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49365
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49365
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49367
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49368
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49369
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49369
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49371
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49372
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49373
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49373
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49375
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49376
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49377
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49377
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49379
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49380
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49381
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49381
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49383
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49384
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49385
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49385
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49387
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49388
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49389
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49389
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49391
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49392
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49393
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49393
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49395
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49396
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49397
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49397
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49399
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49400
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49401
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49401
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49403
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49404
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49405
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49405
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 80.86.91.27:3308
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 5.100.228.233:3389
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 46.105.131.65:1512
Source: Joe Sandbox ViewIP Address: 77.220.64.37 77.220.64.37
Source: Joe Sandbox ViewASN Name: SENTIANL SENTIANL
Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox ViewJA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87
Source: global trafficHTTP traffic detected: GET /eb3kd1le.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: inmindppe.comConnection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004939F9 InternetReadFile,4_2_004939F9
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\28E159F7.emfJump to behavior
Source: global trafficHTTP traffic detected: GET /eb3kd1le.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: inmindppe.comConnection: Keep-Alive
Source: regsvr32.exe, 00000004.00000002.2382308141.00000000003F1000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com$T equals www.linkedin.com (Linkedin)
Source: DWWIN.EXE, 00000006.00000002.2233596594.0000000003540000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000004.00000002.2382308141.00000000003F1000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000002.2230885971.0000000002904000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknownDNS traffic detected: queries for: inmindppe.com
Source: 3C428B1A3E5F57D887EC4B864FAC5DCC.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: DWWIN.EXE, 00000006.00000002.2230867623.00000000028E3000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: DWWIN.EXE, 00000006.00000003.2228827682.000000000292D000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crtF
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000003.2228989819.0000000000538000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000003.2228989819.0000000000538000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000002.2230885971.0000000002904000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000002.2230885971.0000000002904000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000002.2230885971.0000000002904000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000002.2230885971.0000000002904000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: DWWIN.EXE, 00000006.00000002.2230867623.00000000028E3000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: DWWIN.EXE, 00000006.00000002.2230867623.00000000028E3000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000002.2229399297.00000000004F8000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: DWWIN.EXE, 00000006.00000003.2228898902.00000000004CE000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enRa
Source: DWWIN.EXE, 00000006.00000002.2233596594.0000000003540000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: DWWIN.EXE, 00000006.00000002.2233596594.0000000003540000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: DWWIN.EXE, 00000006.00000002.2233949552.0000000003727000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: DWWIN.EXE, 00000006.00000002.2233949552.0000000003727000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000002.2230885971.0000000002904000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000002.2230821082.0000000002898000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000002.2230885971.0000000002904000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000002.2230885971.0000000002904000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000003.2228989819.0000000000538000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: DWWIN.EXE, 00000006.00000002.2230867623.00000000028E3000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000002.2230885971.0000000002904000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000003.2228989819.0000000000538000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000004.00000002.2382894388.0000000002180000.00000002.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2234299675.00000000041C0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2382287592.0000000001CA0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2382544671.0000000001D80000.00000002.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2230070826.0000000002360000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: DWWIN.EXE, 00000006.00000002.2233949552.0000000003727000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: DWWIN.EXE, 00000006.00000002.2233949552.0000000003727000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000004.00000002.2382894388.0000000002180000.00000002.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2234299675.00000000041C0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000003.2228989819.0000000000538000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000002.2230885971.0000000002904000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: DWWIN.EXE, 00000006.00000002.2233596594.0000000003540000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: DWWIN.EXE, 00000006.00000002.2233949552.0000000003727000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: DWWIN.EXE, 00000006.00000002.2233596594.0000000003540000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: DWWIN.EXE, 00000006.00000002.2233596594.0000000003540000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmpString found in binary or memory: https://46.105.131.65/
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmpString found in binary or memory: https://46.105.131.65/D
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233/
Source: regsvr32.exe, 00000004.00000002.2382308141.00000000003F1000.00000004.00000020.sdmpString found in binary or memory: https://77.220.64.37/
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmpString found in binary or memory: https://80.86.91.27/
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmpString found in binary or memory: https://80.86.91.27/h
Source: regsvr32.exe, 00000004.00000002.2382325199.000000000041E000.00000004.00000020.sdmp, DWWIN.EXE, 00000006.00000003.2228989819.0000000000538000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 49351 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49226
Source: unknownNetwork traffic detected: HTTP traffic on port 49185 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49347
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49189
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49343
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49221
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49185
Source: unknownNetwork traffic detected: HTTP traffic on port 49359 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
Source: unknownNetwork traffic detected: HTTP traffic on port 49339 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49279 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49271 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49339
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49217
Source: unknownNetwork traffic detected: HTTP traffic on port 49327 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49335
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49213
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49299
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49331
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49295
Source: unknownNetwork traffic detected: HTTP traffic on port 49319 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
Source: unknownNetwork traffic detected: HTTP traffic on port 49379 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49291
Source: unknownNetwork traffic detected: HTTP traffic on port 49371 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49213 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49259 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49209
Source: unknownNetwork traffic detected: HTTP traffic on port 49347 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49251 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49327
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49205
Source: unknownNetwork traffic detected: HTTP traffic on port 49267 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49399 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49323
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49201
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49287
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49391 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49231 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49363 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49315 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49193 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49239 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49319
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49315
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49279
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49311
Source: unknownNetwork traffic detected: HTTP traffic on port 49295 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49399
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49275
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49395
Source: unknownNetwork traffic detected: HTTP traffic on port 49247 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49271
Source: unknownNetwork traffic detected: HTTP traffic on port 49335 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49391
Source: unknownNetwork traffic detected: HTTP traffic on port 49205 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49307 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49307
Source: unknownNetwork traffic detected: HTTP traffic on port 49383 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49303
Source: unknownNetwork traffic detected: HTTP traffic on port 49303 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49267
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49387
Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49263
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49383
Source: unknownNetwork traffic detected: HTTP traffic on port 49189 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49355 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49403 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49275 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49375 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49259
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49379
Source: unknownNetwork traffic detected: HTTP traffic on port 49323 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49255
Source: unknownNetwork traffic detected: HTTP traffic on port 49287 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49375
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49251
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49371
Source: unknownNetwork traffic detected: HTTP traffic on port 49255 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49343 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49217 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49403
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49247
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49367
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49243
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49363
Source: unknownNetwork traffic detected: HTTP traffic on port 49263 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49395 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49209 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49221 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49197 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49311 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49235 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49367 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49239
Source: unknownNetwork traffic detected: HTTP traffic on port 49243 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49359
Source: unknownNetwork traffic detected: HTTP traffic on port 49291 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49235
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49355
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49231
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49197
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49351
Source: unknownNetwork traffic detected: HTTP traffic on port 49331 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49201 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49193
Source: unknownNetwork traffic detected: HTTP traffic on port 49226 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49387 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49299 -> 443
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49177 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49181 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49185 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49189 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49193 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49197 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49201 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49205 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49209 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49213 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49217 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49221 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49226 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49231 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49235 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49239 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49243 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49247 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49251 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49255 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49259 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49263 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49267 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49271 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49275 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49279 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49283 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49287 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49291 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49295 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49299 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49303 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49307 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49311 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49315 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49319 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49323 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49327 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49331 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49335 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49339 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49343 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49347 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49351 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49355 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49359 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49363 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49367 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49371 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49375 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49379 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49383 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49387 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49391 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49395 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49399 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49403 version: TLS 1.2

E-Banking Fraud:

barindex
Detected Dridex e-Banking trojanShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00465150 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW,4_2_00465150
Source: C:\Windows\System32\DWWIN.EXEFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCCJump to dropped file

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")Name: pagesREviewsd
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")Name: pagesREviewsd
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: INV9698791470-20210111920647.xlsmInitial sample: CALL
Source: INV9698791470-20210111920647.xlsmInitial sample: CALL
Source: INV9698791470-20210111920647.xlsmInitial sample: CALL
Source: INV9698791470-20210111920647.xlsmInitial sample: CALL
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\eb3kd1le[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\deibsjhv.dllJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004722A0 NtDelayExecution,4_2_004722A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0048BE30 NtClose,4_2_0048BE30
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001FB770 VirtualAlloc,VirtualAlloc,NtSetInformationProcess,4_2_001FB770
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001FBA14 NtSetInformationProcess,4_2_001FBA14
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004651504_2_00465150
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004810204_2_00481020
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0047D0304_2_0047D030
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004788C04_2_004788C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00478CC04_2_00478CC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0046ACD04_2_0046ACD0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0047A0D04_2_0047A0D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004798DA4_2_004798DA
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0047E0A04_2_0047E0A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0048DCA04_2_0048DCA0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004850A04_2_004850A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00484CA04_2_00484CA0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00485CB04_2_00485CB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004775644_2_00477564
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004615704_2_00461570
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0047FDD04_2_0047FDD0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004889F04_2_004889F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004871F04_2_004871F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0047D9804_2_0047D980
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0048D1804_2_0048D180
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0047C5904_2_0047C590
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0046F9A04_2_0046F9A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004812404_2_00481240
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0047A6604_2_0047A660
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004876604_2_00487660
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00482E604_2_00482E60
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00469E704_2_00469E70
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00479E704_2_00479E70
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0046CA104_2_0046CA10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0048FA104_2_0048FA10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004802204_2_00480220
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0048D6204_2_0048D620
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00483EC04_2_00483EC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0048FA104_2_0048FA10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00466AD04_2_00466AD0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004796D04_2_004796D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0047F6E04_2_0047F6E0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0047B6F04_2_0047B6F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00478EF04_2_00478EF0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004862F04_2_004862F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0047AE804_2_0047AE80
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00478AB04_2_00478AB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00481EB04_2_00481EB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004826B04_2_004826B0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0047BF504_2_0047BF50
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00475B604_2_00475B60
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00483B004_2_00483B00
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00489B104_2_00489B10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004817304_2_00481730
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004783C04_2_004783C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00477FC04_2_00477FC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00487FC04_2_00487FC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004767C84_2_004767C8
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0047E3F04_2_0047E3F0
Source: INV9698791470-20210111920647.xlsmOLE, VBA macro line: Private Sub view_1_a_Layout(ByVal Index As Long)
Source: VBA code instrumentationOLE, VBA macro: Module Sheet1, Function view_1_a_LayoutName: view_1_a_Layout
Source: INV9698791470-20210111920647.xlsmOLE indicator, VBA macros: true
Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1804
Source: eb3kd1le[1].zip.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: eb3kd1le[1].zip.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_