Loading ...

Play interactive tourEdit tour

Analysis Report INV8222874744_20210111490395.xlsm

Overview

General Information

Sample Name:INV8222874744_20210111490395.xlsm
Analysis ID:338363
MD5:032734a3c93c44855955d4769b7ded98
SHA1:f38cd18659e0fb5d862bac1d9f24691dda4a292c
SHA256:1e66c639f157fa066c2e4070a46cb0af32548f4fba63684120513433059cd26d
Tags:Dridexxlsm

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Dridex e-Banking trojan
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query network adapater information
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the installation date of Windows
Registers a DLL
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2288 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 2548 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll. MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2540 cmdline: -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll. MD5: 432BE6CF7311062633459EEF6B242FB5)
    • DW20.EXE (PID: 2460 cmdline: 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 2456 MD5: 45A078B2967E0797360A2D4434C41DB4)
      • DWWIN.EXE (PID: 2304 cmdline: C:\Windows\system32\dwwin.exe -x -s 2456 MD5: 25247E3C4E7A7A73BAEEA6C0008952B1)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 30341", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 8", "59.206.114.228:65153", "255.255.255.127:5491", "15.183.20.119:53893", "15.132.203.2:0", "70.129.254.255:65535", "127.114.235.190:65535", "255.127.104.242:15033", "162.104.101.15:41265"]}

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: BlueMashroom DLL LoadShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2288, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll., ProcessId: 2548
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2288, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll., ProcessId: 2548
Sigma detected: Regsvr32 AnomalyShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2288, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\bjcbglsw.dll., ProcessId: 2548

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: 4.2.regsvr32.exe.3a0000.2.raw.unpackMalware Configuration Extractor: Dridex {"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 30341", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 8", "59.206.114.228:65153", "255.255.255.127:5491", "15.183.20.119:53893", "15.132.203.2:0", "70.129.254.255:65535", "127.114.235.190:65535", "255.127.104.242:15033", "162.104.101.15:41265"]}
Multi AV Scanner detection for submitted fileShow sources
Source: INV8222874744_20210111490395.xlsmReversingLabs: Detection: 42%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hhsz1e0[1].rarJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bjcbglsw.dllJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 217.174.149.3:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49174 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49186 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49190 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49194 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49198 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49202 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49206 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49210 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49214 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49218 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49222 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49226 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49232 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49236 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49240 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49244 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49248 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49252 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49256 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49260 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49264 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49268 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49272 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49276 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49280 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49284 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49288 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49292 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49296 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49300 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49304 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49308 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49312 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49316 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49320 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49324 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49328 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49332 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49336 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49340 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49344 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49348 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49352 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49356 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49360 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49364 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49368 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49372 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49376 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49380 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49384 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49388 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49392 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49396 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49400 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49404 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49408 version: TLS 1.2
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003CCEF8 FindFirstFileExW,4_2_003CCEF8

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\bjcbglsw.dllJump to behavior
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: hhsz1e0[1].rar.0.drJump to dropped file
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exeJump to behavior
Source: global trafficDNS query: name: media-server.skyinternet.com.pk
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 217.174.149.3:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 217.174.149.3:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49170
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49171
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49172
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49172
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49174
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49175
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49176
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49176
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49178
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49179
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49180
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49180
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49182
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49183
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49184
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49184
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49186
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49187
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49188
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49188
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49190
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49191
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49192
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49192
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49194
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49195
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49196
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49196
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49198
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49199
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49200
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49200
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49202
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49203
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49204
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49204
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49206
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49207
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49208
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49208
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49210
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49211
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49212
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49212
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49214
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49215
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49216
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49216
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49218
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49219
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49220
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49220
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49222
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49223
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49224
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49224
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49226
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49228
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49229
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49229
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49232
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49233
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49234
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49234
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49236
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49237
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49238
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49238
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49240
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49241
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49242
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49242
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49244
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49245
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49246
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49246
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49248
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49249
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49250
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49250
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49252
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49253
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49254
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49254
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49256
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49257
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49258
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49258
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49260
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49261
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49262
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49262
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49264
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49265
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49266
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49266
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49268
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49269
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49270
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49270
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49272
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49273
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49274
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49274
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49276
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49277
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49278
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49278
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49280
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49281
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49282
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49282
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49284
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49285
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49286
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49286
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49288
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49289
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49290
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49290
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49292
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49293
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49294
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49294
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49296
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49297
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49298
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49298
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49300
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49301
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49302
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49302
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49304
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49305
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49306
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49306
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49308
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49309
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49310
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49310
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49312
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49313
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49314
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49314
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49316
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49317
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49318
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49318
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49320
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49321
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49322
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49322
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49324
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49325
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49326
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49326
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49328
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49329
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49330
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49330
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49332
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49333
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49334
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49334
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49336
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49337
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49338
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49338
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49340
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49341
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49342
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49342
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49344
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49345
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49346
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49346
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49348
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49349
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49350
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49350
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49352
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49353
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49354
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49354
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49356
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49357
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49358
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49358
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49360
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49361
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49362
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49362
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49364
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49365
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49366
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49366
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49368
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49369
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49370
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49370
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49372
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49373
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49374
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49374
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49376
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49377
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49378
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49378
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49380
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49381
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49382
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49382
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49384
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49385
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49386
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49386
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49388
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49389
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49390
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49390
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49392
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49393
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49394
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49394
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49396
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49397
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49398
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49398
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49400
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49401
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49402
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49402
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49404
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49405
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49406
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49406
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49408
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49409
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49410
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49410
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 80.86.91.27:3308
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 5.100.228.233:3389
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 46.105.131.65:1512
Source: Joe Sandbox ViewIP Address: 5.100.228.233 5.100.228.233
Source: Joe Sandbox ViewIP Address: 80.86.91.27 80.86.91.27
Source: Joe Sandbox ViewIP Address: 46.105.131.65 46.105.131.65
Source: Joe Sandbox ViewASN Name: SENTIANL SENTIANL
Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox ViewJA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003D39F9 InternetReadFile,4_2_003D39F9
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2F82396A.emfJump to behavior
Source: regsvr32.exe, 00000004.00000002.2392732468.000000000050F000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000004.00000002.2392732468.000000000050F000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknownDNS traffic detected: queries for: media-server.skyinternet.com.pk
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 3C428B1A3E5F57D887EC4B864FAC5DCC.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: DWWIN.EXE, 00000007.00000002.2243113739.0000000003952000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: DWWIN.EXE, 00000007.00000002.2243113739.0000000003952000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: DWWIN.EXE, 00000007.00000002.2243113739.0000000003952000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: DWWIN.EXE, 00000007.00000002.2238503044.00000000004A8000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.caby
Source: DWWIN.EXE, 00000007.00000002.2238488344.0000000000482000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enpw
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: DWWIN.EXE, 00000007.00000002.2242807574.0000000003677000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: DWWIN.EXE, 00000007.00000002.2242807574.0000000003677000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000002.2243054454.0000000003900000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000002.2238527627.00000000004E9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: DWWIN.EXE, 00000007.00000002.2243113739.0000000003952000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000004.00000002.2393787843.00000000020C0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2243298367.0000000003EA0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2392785990.0000000001DF0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2392840096.0000000001CC0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2238957386.0000000002310000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: DWWIN.EXE, 00000007.00000002.2242807574.0000000003677000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: DWWIN.EXE, 00000007.00000002.2242807574.0000000003677000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000004.00000002.2393787843.00000000020C0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2243298367.0000000003EA0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238072484.000000000397A000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: DWWIN.EXE, 00000007.00000002.2242807574.0000000003677000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: DWWIN.EXE, 00000007.00000002.2242553500.0000000003490000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: regsvr32.exe, 00000004.00000002.2392793966.000000000059C000.00000004.00000020.sdmpString found in binary or memory: https://46.105.131.65:1512/
Source: regsvr32.exe, 00000004.00000002.2392793966.000000000059C000.00000004.00000020.sdmpString found in binary or memory: https://46.105.131.65:1512/t
Source: regsvr32.exe, 00000004.00000002.2392793966.000000000059C000.00000004.00000020.sdmp, regsvr32.exe, 00000004.00000002.2392699066.00000000004DF000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233:3389/
Source: regsvr32.exe, 00000004.00000002.2392699066.00000000004DF000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233:3389/7Q
Source: regsvr32.exe, 00000004.00000002.2392793966.000000000059C000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233:3389/T
Source: regsvr32.exe, 00000004.00000002.2392732468.000000000050F000.00000004.00000020.sdmpString found in binary or memory: https://77.220.64.37/
Source: regsvr32.exe, 00000004.00000002.2392793966.000000000059C000.00000004.00000020.sdmpString found in binary or memory: https://80.86.91.27:3308/
Source: regsvr32.exe, 00000004.00000002.2392748354.0000000000523000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2238067186.0000000003973000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49348
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49226
Source: unknownNetwork traffic detected: HTTP traffic on port 49288 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49344
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49222
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49186
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49340
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49182
Source: unknownNetwork traffic detected: HTTP traffic on port 49336 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49256 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49388 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49210 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49218
Source: unknownNetwork traffic detected: HTTP traffic on port 49380 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49336
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49214
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49332
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49210
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49296
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49292
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 49392 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49316 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49276 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49194 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49368 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49404 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49360 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49328
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49206
Source: unknownNetwork traffic detected: HTTP traffic on port 49292 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49244 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49324
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49202
Source: unknownNetwork traffic detected: HTTP traffic on port 49324 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49288
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49320
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49284
Source: unknownNetwork traffic detected: HTTP traffic on port 49202 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49372 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49280
Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49344 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49316
Source: unknownNetwork traffic detected: HTTP traffic on port 49352 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49312
Source: unknownNetwork traffic detected: HTTP traffic on port 49304 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49276
Source: unknownNetwork traffic detected: HTTP traffic on port 49182 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49396
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49272
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49392
Source: unknownNetwork traffic detected: HTTP traffic on port 49222 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49264 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49236 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49308
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49304
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49268
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49300
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49388
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49264
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49384
Source: unknownNetwork traffic detected: HTTP traffic on port 49284 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49260
Source: unknownNetwork traffic detected: HTTP traffic on port 49332 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49380
Source: unknownNetwork traffic detected: HTTP traffic on port 49384 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49252 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49214 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49256
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49376
Source: unknownNetwork traffic detected: HTTP traffic on port 49190 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49252
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49372
Source: unknownNetwork traffic detected: HTTP traffic on port 49396 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49198 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49400 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49312 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49272 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49408
Source: unknownNetwork traffic detected: HTTP traffic on port 49364 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49404
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49248
Source: unknownNetwork traffic detected: HTTP traffic on port 49376 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49368
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49400
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49244
Source: unknownNetwork traffic detected: HTTP traffic on port 49296 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49364
Source: unknownNetwork traffic detected: HTTP traffic on port 49408 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49240
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49360
Source: unknownNetwork traffic detected: HTTP traffic on port 49248 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49240 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49206 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49340 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49308 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49348 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49218 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49268 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49236
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49356
Source: unknownNetwork traffic detected: HTTP traffic on port 49186 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49232
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49198
Source: unknownNetwork traffic detected: HTTP traffic on port 49300 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49352
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49194
Source: unknownNetwork traffic detected: HTTP traffic on port 49226 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49260 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49190
Source: unknownNetwork traffic detected: HTTP traffic on port 49356 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49280 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49320 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49328 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49232 -> 443
Source: unknownHTTPS traffic detected: 217.174.149.3:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49174 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49186 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49190 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49194 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49198 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49202 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49206 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49210 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49214 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49218 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49222 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49226 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49232 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49236 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49240 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49244 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49248 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49252 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49256 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49260 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49264 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49268 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49272 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49276 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49280 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49284 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49288 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49292 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49296 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49300 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49304 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49308 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49312 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49316 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49320 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49324 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49328 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49332 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49336 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49340 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49344 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49348 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49352 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49356 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49360 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49364 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49368 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49372 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49376 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49380 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49384 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49388 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49392 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49396 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49400 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49404 version: TLS 1.2
Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49408 version: TLS 1.2

E-Banking Fraud:

barindex
Detected Dridex e-Banking trojanShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003A5150 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW,4_2_003A5150
Source: C:\Windows\System32\DWWIN.EXEFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCCJump to dropped file

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")Name: pagesREviewsd
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")Name: pagesREviewsd
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: INV8222874744_20210111490395.xlsmInitial sample: CALL
Source: INV8222874744_20210111490395.xlsmInitial sample: CALL
Source: INV8222874744_20210111490395.xlsmInitial sample: CALL
Source: INV8222874744_20210111490395.xlsmInitial sample: CALL
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\bjcbglsw.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hhsz1e0[1].rarJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003B22A0 NtDelayExecution,4_2_003B22A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003CBE30 NtClose,4_2_003CBE30
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0025B780 VirtualAlloc,VirtualAlloc,NtSetInformationProcess,4_2_0025B780
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0025BA14 NtSetInformationProcess,4_2_0025BA14
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003A51504_2_003A5150
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003BD0304_2_003BD030
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C10204_2_003C1020
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C5CB04_2_003C5CB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003BE0A04_2_003BE0A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003CDCA04_2_003CDCA0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C50A04_2_003C50A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C4CA04_2_003C4CA0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003B98DA4_2_003B98DA
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003AACD04_2_003AACD0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003BA0D04_2_003BA0D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003B88C04_2_003B88C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003B8CC04_2_003B8CC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003A15704_2_003A1570
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003B75644_2_003B7564
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003AF9A04_2_003AF9A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003BC5904_2_003BC590
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003BD9804_2_003BD980
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003CD1804_2_003CD180
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C89F04_2_003C89F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C71F04_2_003C71F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003BFDD04_2_003BFDD0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C02204_2_003C0220
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003CD6204_2_003CD620
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003ACA104_2_003ACA10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003CFA104_2_003CFA10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003A9E704_2_003A9E70
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003B9E704_2_003B9E70
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003BA6604_2_003BA660
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C76604_2_003C7660
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C2E604_2_003C2E60
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C12404_2_003C1240
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003B8AB04_2_003B8AB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C1EB04_2_003C1EB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C26B04_2_003C26B0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003BAE804_2_003BAE80
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003BB6F04_2_003BB6F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003B8EF04_2_003B8EF0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C62F04_2_003C62F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003BF6E04_2_003BF6E0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003A6AD04_2_003A6AD0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003B96D04_2_003B96D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003CFA104_2_003CFA10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C3EC04_2_003C3EC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C17304_2_003C1730
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C9B104_2_003C9B10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C3B004_2_003C3B00
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003B5B604_2_003B5B60
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003BBF504_2_003BBF50
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003BE3F04_2_003BE3F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003B67C84_2_003B67C8
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003B83C04_2_003B83C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003B7FC04_2_003B7FC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_003C7FC04_2_003C7FC0
Source: INV8222874744_20210111490395.xlsmOLE, VBA macro line: Private Sub view_1_a_Layout(ByVal Index As Long)
Source: VBA code instrumentationOLE, VBA macro: Module Sheet1, Function view_1_a_LayoutName: view_1_a_Layout
Source: INV8222874744_20210111490395.xlsmOLE indicator, VBA macros: true
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hhsz1e0[1].rar E3F7EB34C3A1FD306C7788096CB666F3362BA5AA78710074B61DD03F829B8AFD
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\bjcbglsw.dll E3F7EB34C3A1FD306C7788096CB666F3362BA5AA78710074B61DD03F829B8AFD
Source: unknown