Play interactive tour

Edit tour

Analysis Report INV8222874744_20210111490395.xlsm

Overview

General Information

Sample Name:	INV8222874744_20210111490395.xlsm
Analysis ID:	338363
MD5:	032734a3c93c44855955d4769b7ded98
SHA1:	f38cd18659e0fb5d862bac1d9f24691dda4a292c
SHA256:	1e66c639f157fa066c2e4070a46cb0af32548f4fba63684120513433059cd26d
Tags:	Dridexxlsm
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Dridex e-Banking trojan

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: BlueMashroom DLL Load

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Document contains an embedded VBA macro which may execute processes

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Machine Learning detection for dropped file

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Regsvr32 Anomaly

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query network adapater information

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Dropped file seen in connection with other malware

Drops PE files

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the installation date of Windows

Registers a DLL

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 2288 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

regsvr32.exe (PID: 2548 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll. MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2540 cmdline: -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll. MD5: 432BE6CF7311062633459EEF6B242FB5)

DW20.EXE (PID: 2460 cmdline: 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 2456 MD5: 45A078B2967E0797360A2D4434C41DB4)

DWWIN.EXE (PID: 2304 cmdline: C:\Windows\system32\dwwin.exe -x -s 2456 MD5: 25247E3C4E7A7A73BAEEA6C0008952B1)

cleanup

Malware Configuration

Threatname: Dridex

{"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 30341", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 8", "59.206.114.228:65153", "255.255.255.127:5491", "15.183.20.119:53893", "15.132.203.2:0", "70.129.254.255:65535", "127.114.235.190:65535", "255.127.104.242:15033", "162.104.101.15:41265"]}

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: BlueMashroom DLL Load

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2288, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll., ProcessId: 2548

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2288, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll., ProcessId: 2548

Sigma detected: Regsvr32 Anomaly

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.regsvr32.exe.3a0000.2.raw.unpack

Malware Configuration Extractor: Dridex {"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 30341", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 8", "59.206.114.228:65153", "255.255.255.127:5491", "15.183.20.119:53893", "15.132.203.2:0", "70.129.254.255:65535", "127.114.235.190:65535", "255.127.104.242:15033", "162.104.101.15:41265"]}

Multi AV Scanner detection for submitted file

Show sources

Source: INV8222874744_20210111490395.xlsm

ReversingLabs: Detection: 42%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hhsz1e0[1].rar	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bjcbglsw.dll	Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 217.174.149.3:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49190 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49194 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49198 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49202 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49206 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49210 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49214 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49218 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49222 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49226 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49232 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49236 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49240 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49244 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49248 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49252 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49256 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49260 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49264 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49268 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49272 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49276 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49280 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49284 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49288 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49292 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49296 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49300 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49304 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49308 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49312 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49316 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49320 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49324 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49328 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49332 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49336 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49340 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49344 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49348 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49352 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49356 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49360 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49364 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49368 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49372 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49376 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49380 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49384 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49388 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49400 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49404 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49408 version: TLS 1.2

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_003CCEF8 FindFirstFileExW,

4_2_003CCEF8

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\bjcbglsw.dll

Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: hhsz1e0[1].rar.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Jump to behavior

Source: global traffic

DNS query: name: media-server.skyinternet.com.pk

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 217.174.149.3:443

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 217.174.149.3:443

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49170
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49171
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49172
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49172
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49174
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49175
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49176
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49176
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49178
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49179
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49180
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49180
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49182
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49183
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49184
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49184
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49186
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49187
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49188
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49188
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49190
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49191
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49192
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49192
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49194
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49195
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49196
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49196
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49198
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49199
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49200
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49200
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49202
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49203
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49204
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49204
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49206
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49207
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49208
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49208
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49210
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49211
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49212
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49212
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49214
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49215
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49216
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49216
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49218
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49219
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49220
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49220
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49222
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49223
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49224
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49224
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49226
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49228
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49229
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49229
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49232
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49233
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49234
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49234
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49236
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49237
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49238
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49238
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49240
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49241
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49242
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49242
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49244
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49245
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49246
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49246
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49248
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49249
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49250
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49250
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49252
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49253
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49254
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49254
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49256
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49257
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49258
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49258
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49260
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49261
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49262
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49262
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49264
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49265
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49266
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49266
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49268
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49269
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49270
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49270
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49272
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49273
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49274
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49274
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49276
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49277
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49278
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49278
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49280
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49281
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49282
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49282
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49284
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49285
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49286
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49286
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49288
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49289
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49290
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49290
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49292
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49293
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49294
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49294
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49296
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49297
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49298
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49298
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49300
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49301
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49302
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49302
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49304
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49305
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49306
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49306
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49308
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49309
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49310
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49310
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49312
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49313
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49314
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49314
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49316
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49317
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49318
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49318
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49320
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49321
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49322
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49322
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49324
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49325
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49326
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49326
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49328
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49329
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49330
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49330
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49332
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49333
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49334
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49334
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49336
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49337
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49338
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49338
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49340
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49341
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49342
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49342
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49344
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49345
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49346
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49346
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49348
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49349
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49350
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49350
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49352
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49353
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49354
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49354
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49356
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49357
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49358
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49358
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49360
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49361
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49362
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49362
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49364
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49365
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49366
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49366
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49368
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49369
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49370
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49370
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49372
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49373
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49374
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49374
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49376
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49377
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49378
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49378
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49380
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49381
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49382
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49382
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49384
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49385
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49386
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49386
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49388
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49389
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49390
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49390
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49392
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49393
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49394
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49394
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49396
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49397
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49398
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49398
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49400
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49401
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49402
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49402
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49404
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49405
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49406
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49406
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49408
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49409
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49410
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49410

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 80.86.91.27:3308
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 5.100.228.233:3389
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 46.105.131.65:1512

Source: Joe Sandbox View	IP Address: 5.100.228.233 5.100.228.233
Source: Joe Sandbox View	IP Address: 80.86.91.27 80.86.91.27
Source: Joe Sandbox View	IP Address: 46.105.131.65 46.105.131.65

Source: Joe Sandbox View	ASN Name: SENTIANL SENTIANL
Source: Joe Sandbox View	ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE

Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87

Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_003D39F9 InternetReadFile,

4_2_003D39F9

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2F82396A.emf

Jump to behavior

Source: regsvr32.exe, 00000004.00000002.2392732468.000000000050F000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000004.00000002.2392732468.000000000050F000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: media-server.skyinternet.com.pk

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 3C428B1A3E5F57D887EC4B864FAC5DCC.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: DWWIN.EXE, 00000007.00000002.2243113739.0000000003952000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: DWWIN.EXE, 00000007.00000002.2243113739.0000000003952000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: DWWIN.EXE, 00000007.00000002.2243113739.0000000003952000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: DWWIN.EXE, 00000007.00000002.2238503044.00000000004A8000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.caby
Source: DWWIN.EXE, 00000007.00000002.2238488344.0000000000482000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enpw
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: DWWIN.EXE, 00000007.00000002.2242807574.0000000003677000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: DWWIN.EXE, 00000007.00000002.2242807574.0000000003677000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000002.2243054454.0000000003900000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000002.2238527627.00000000004E9000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: DWWIN.EXE, 00000007.00000002.2243113739.0000000003952000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000004.00000002.2393787843.00000000020C0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2243298367.0000000003EA0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2392785990.0000000001DF0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2392840096.0000000001CC0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2238957386.0000000002310000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: DWWIN.EXE, 00000007.00000002.2242807574.0000000003677000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: DWWIN.EXE, 00000007.00000002.2242807574.0000000003677000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000004.00000002.2393787843.00000000020C0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2243298367.0000000003EA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: DWWIN.EXE, 00000007.00000002.2242807574.0000000003677000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: regsvr32.exe, 00000004.00000002.2392793966.000000000059C000.00000004.00000020.sdmp	String found in binary or memory: https://46.105.131.65:1512/
Source: regsvr32.exe, 00000004.00000002.2392793966.000000000059C000.00000004.00000020.sdmp	String found in binary or memory: https://46.105.131.65:1512/t
Source: regsvr32.exe, 00000004.00000002.2392793966.000000000059C000.00000004.00000020.sdmp, regsvr32.exe, 00000004.00000002.2392699066.00000000004DF000.00000004.00000020.sdmp	String found in binary or memory: https://5.100.228.233:3389/
Source: regsvr32.exe, 00000004.00000002.2392699066.00000000004DF000.00000004.00000020.sdmp	String found in binary or memory: https://5.100.228.233:3389/7Q
Source: regsvr32.exe, 00000004.00000002.2392793966.000000000059C000.00000004.00000020.sdmp	String found in binary or memory: https://5.100.228.233:3389/T
Source: regsvr32.exe, 00000004.00000002.2392732468.000000000050F000.00000004.00000020.sdmp	String found in binary or memory: https://77.220.64.37/
Source: regsvr32.exe, 00000004.00000002.2392793966.000000000059C000.00000004.00000020.sdmp	String found in binary or memory: https://80.86.91.27:3308/
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49348
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49226
Source: unknown	Network traffic detected: HTTP traffic on port 49288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49344
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49222
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49340
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 49336 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49388 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49218
Source: unknown	Network traffic detected: HTTP traffic on port 49380 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49336
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49332
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49296
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49292
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49316 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49368 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49404 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49360 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49328
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49206
Source: unknown	Network traffic detected: HTTP traffic on port 49292 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49324
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49202
Source: unknown	Network traffic detected: HTTP traffic on port 49324 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49288
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49320
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49284
Source: unknown	Network traffic detected: HTTP traffic on port 49202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49372 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49280
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49344 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49316
Source: unknown	Network traffic detected: HTTP traffic on port 49352 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49312
Source: unknown	Network traffic detected: HTTP traffic on port 49304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49276
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49396
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49272
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49392
Source: unknown	Network traffic detected: HTTP traffic on port 49222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49308
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49304
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49268
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49300
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49388
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49384
Source: unknown	Network traffic detected: HTTP traffic on port 49284 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49260
Source: unknown	Network traffic detected: HTTP traffic on port 49332 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49380
Source: unknown	Network traffic detected: HTTP traffic on port 49384 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49376
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49372
Source: unknown	Network traffic detected: HTTP traffic on port 49396 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49312 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49272 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49408
Source: unknown	Network traffic detected: HTTP traffic on port 49364 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49404
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49248
Source: unknown	Network traffic detected: HTTP traffic on port 49376 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49368
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49400
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49244
Source: unknown	Network traffic detected: HTTP traffic on port 49296 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49364
Source: unknown	Network traffic detected: HTTP traffic on port 49408 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49240
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49360
Source: unknown	Network traffic detected: HTTP traffic on port 49248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49340 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49308 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49348 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49236
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49356
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown	Network traffic detected: HTTP traffic on port 49300 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49352
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown	Network traffic detected: HTTP traffic on port 49226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49356 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49280 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49320 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49328 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49232 -> 443

Source: unknown	HTTPS traffic detected: 217.174.149.3:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49190 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49194 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49198 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49202 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49206 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49210 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49214 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49218 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49222 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49226 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49232 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49236 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49240 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49244 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49248 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49252 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49256 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49260 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49264 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49268 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49272 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49276 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49280 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49284 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49288 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49292 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49296 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49300 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49304 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49308 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49312 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49316 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49320 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49324 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49328 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49332 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49336 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49340 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49344 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49348 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49352 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49356 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49360 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49364 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49368 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49372 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49376 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49380 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49384 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49388 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49400 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49404 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49408 version: TLS 1.2

E-Banking Fraud:

Detected Dridex e-Banking trojan

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_003A5150 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW,

4_2_003A5150

Source: C:\Windows\System32\DWWIN.EXE

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Jump to dropped file

System Summary:

Document contains an embedded VBA macro which may execute processes

Show sources

Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")			Name: pagesREviewsd
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")			Name: pagesREviewsd

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: INV8222874744_20210111490395.xlsm	Initial sample: CALL
Source: INV8222874744_20210111490395.xlsm	Initial sample: CALL
Source: INV8222874744_20210111490395.xlsm	Initial sample: CALL
Source: INV8222874744_20210111490395.xlsm	Initial sample: CALL

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\bjcbglsw.dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hhsz1e0[1].rar			Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B22A0 NtDelayExecution,	4_2_003B22A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003CBE30 NtClose,	4_2_003CBE30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0025B780 VirtualAlloc,VirtualAlloc,NtSetInformationProcess,	4_2_0025B780
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0025BA14 NtSetInformationProcess,	4_2_0025BA14

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003A5150	4_2_003A5150
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BD030	4_2_003BD030
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C1020	4_2_003C1020
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C5CB0	4_2_003C5CB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BE0A0	4_2_003BE0A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003CDCA0	4_2_003CDCA0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C50A0	4_2_003C50A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C4CA0	4_2_003C4CA0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B98DA	4_2_003B98DA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003AACD0	4_2_003AACD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BA0D0	4_2_003BA0D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B88C0	4_2_003B88C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B8CC0	4_2_003B8CC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003A1570	4_2_003A1570
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B7564	4_2_003B7564
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003AF9A0	4_2_003AF9A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BC590	4_2_003BC590
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BD980	4_2_003BD980
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003CD180	4_2_003CD180
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C89F0	4_2_003C89F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C71F0	4_2_003C71F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BFDD0	4_2_003BFDD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C0220	4_2_003C0220
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003CD620	4_2_003CD620
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003ACA10	4_2_003ACA10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003CFA10	4_2_003CFA10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003A9E70	4_2_003A9E70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B9E70	4_2_003B9E70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BA660	4_2_003BA660
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C7660	4_2_003C7660
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C2E60	4_2_003C2E60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C1240	4_2_003C1240
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B8AB0	4_2_003B8AB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C1EB0	4_2_003C1EB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C26B0	4_2_003C26B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BAE80	4_2_003BAE80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BB6F0	4_2_003BB6F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B8EF0	4_2_003B8EF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C62F0	4_2_003C62F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BF6E0	4_2_003BF6E0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003A6AD0	4_2_003A6AD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B96D0	4_2_003B96D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003CFA10	4_2_003CFA10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C3EC0	4_2_003C3EC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C1730	4_2_003C1730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C9B10	4_2_003C9B10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C3B00	4_2_003C3B00
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B5B60	4_2_003B5B60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BBF50	4_2_003BBF50
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003BE3F0	4_2_003BE3F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B67C8	4_2_003B67C8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B83C0	4_2_003B83C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003B7FC0	4_2_003B7FC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_003C7FC0	4_2_003C7FC0

Source: INV8222874744_20210111490395.xlsm	OLE, VBA macro line: Private Sub view_1_a_Layout(ByVal Index As Long)
Source: VBA code instrumentation	OLE, VBA macro: Module Sheet1, Function view_1_a_Layout			Name: view_1_a_Layout

Source: INV8222874744_20210111490395.xlsm

OLE indicator, VBA macros: true

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hhsz1e0[1].rar E3F7EB34C3A1FD306C7788096CB666F3362BA5AA78710074B61DD03F829B8AFD
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\bjcbglsw.dll E3F7EB34C3A1FD306C7788096CB666F3362BA5AA78710074B61DD03F829B8AFD

Source: unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report INV8222874744_20210111490395.xlsm

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary: