Loading ...

Play interactive tourEdit tour

Analysis Report Inv0209966048-20210111075675.xls

Overview

General Information

Sample Name:Inv0209966048-20210111075675.xls
Analysis ID:338362
MD5:91baa6aad9201c0ccf3553a5b49eb967
SHA1:9c182826d5dc041970f31a8d584580f870c3996c
SHA256:01af3b5c1e2ed68272f542233aece70269a9e977815347a4b9c86bb2d97c086e
Tags:Dridexxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Dridex e-Banking trojan
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the installation date of Windows
Registers a DLL
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2028 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 2356 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\lwjmdgav.dll. MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2328 cmdline: -s C:\Users\user\AppData\Local\Temp\lwjmdgav.dll. MD5: 432BE6CF7311062633459EEF6B242FB5)
    • DW20.EXE (PID: 3052 cmdline: 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1488 MD5: 45A078B2967E0797360A2D4434C41DB4)
      • DWWIN.EXE (PID: 2968 cmdline: C:\Windows\system32\dwwin.exe -x -s 1488 MD5: 25247E3C4E7A7A73BAEEA6C0008952B1)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 61074", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 0"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Inv0209966048-20210111075675.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: BlueMashroom DLL LoadShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\lwjmdgav.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\lwjmdgav.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2028, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\lwjmdgav.dll., ProcessId: 2356
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\lwjmdgav.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\lwjmdgav.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2028, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\lwjmdgav.dll., ProcessId: 2356
    Sigma detected: Regsvr32 AnomalyShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\lwjmdgav.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\lwjmdgav.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2028, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\lwjmdgav.dll., ProcessId: 2356

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 4.2.regsvr32.exe.590000.1.raw.unpackMalware Configuration Extractor: Dridex {"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 61074", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 0"]}
    Multi AV Scanner detection for submitted fileShow sources
    Source: Inv0209966048-20210111075675.xlsVirustotal: Detection: 45%Perma Link
    Source: Inv0209966048-20210111075675.xlsMetadefender: Detection: 16%Perma Link
    Source: Inv0209966048-20210111075675.xlsReversingLabs: Detection: 34%
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\lwjmdgav.dllJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\w80l82r[1].zipJoe Sandbox ML: detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: unknownHTTPS traffic detected: 104.27.153.52:443 -> 192.168.2.22:49165 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49166 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49171 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49175 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49179 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49183 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49187 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49191 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49195 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49199 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49203 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49207 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49212 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49216 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49220 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49224 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49228 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49233 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49238 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49242 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49246 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49250 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49254 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49258 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49262 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49266 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49270 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49274 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49278 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49282 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49286 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49290 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49294 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49298 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49302 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49306 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49310 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49314 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49318 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49322 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49326 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49330 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49334 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49338 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49342 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49346 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49350 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49354 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49358 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49362 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49366 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49370 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49374 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49378 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49382 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49386 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49390 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49394 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49398 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49402 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49406 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49410 version: TLS 1.2
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008BCEF8 FindFirstFileExW,4_2_008BCEF8

    Software Vulnerabilities:

    barindex
    Document exploit detected (creates forbidden files)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\lwjmdgav.dllJump to behavior
    Document exploit detected (drops PE files)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: w80l82r[1].zip.0.drJump to dropped file
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exeJump to behavior
    Source: global trafficDNS query: name: education.scrollx.in
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.27.153.52:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.27.153.52:443

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49166
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49168
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49169
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49169
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49171
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49172
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49173
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49173
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49175
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49176
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49177
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49177
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49179
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49180
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49181
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49181
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49183
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49184
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49185
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49185
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49187
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49188
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49189
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49189
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49191
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49192
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49193
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49193
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49195
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49196
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49197
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49197
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49199
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49200
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49201
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49201
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49203
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49204
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49205
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49205
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49207
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49208
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49209
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49209
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49210
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49210
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49212
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49213
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49214
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49214
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49216
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49217
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49218
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49218
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49220
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49221
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49222
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49222
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49224
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49225
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49226
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49226
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49228
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49229
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49230
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49230
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49233
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49234
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49236
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49236
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49238
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49239
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49240
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49240
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49242
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49243
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49244
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49244
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49246
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49247
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49248
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49248
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49250
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49251
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49252
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49252
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49254
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49255
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49256
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49256
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49258
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49259
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49260
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49260
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49262
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49263
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49264
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49264
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49266
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49267
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49268
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49268
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49270
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49271
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49272
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49272
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49274
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49275
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49276
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49276
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49278
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49279
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49280
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49280
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49282
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49283
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49284
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49284
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49286
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49287
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49288
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49288
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49290
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49291
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49292
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49292
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49294
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49295
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49296
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49296
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49298
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49299
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49300
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49300
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49302
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49303
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49304
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49304
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49306
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49307
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49308
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49308
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49310
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49311
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49312
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49312
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49314
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49315
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49316
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49316
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49318
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49319
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49320
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49320
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49322
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49323
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49324
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49324
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49326
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49327
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49328
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49328
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49330
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49331
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49332
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49332
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49334
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49335
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49336
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49336
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49338
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49339
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49340
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49340
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49342
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49343
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49344
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49344
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49346
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49347
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49348
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49348
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49350
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49351
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49352
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49352
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49354
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49355
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49356
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49356
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49358
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49359
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49360
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49360
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49362
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49363
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49364
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49364
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49366
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49367
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49368
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49368
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49370
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49371
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49372
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49372
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49374
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49375
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49376
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49376
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49378
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49379
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49380
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49380
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49382
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49383
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49384
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49384
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49386
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49387
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49388
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49388
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49390
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49391
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49392
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49392
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49394
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49395
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49396
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49396
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49398
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49399
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49400
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49400
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49402
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49403
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49404
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49404
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49406
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49407
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49408
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49408
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 77.220.64.37:443 -> 192.168.2.22:49410
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 80.86.91.27:3308 -> 192.168.2.22:49411
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49412
    Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 5.100.228.233:3389 -> 192.168.2.22:49412
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 80.86.91.27:3308
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.100.228.233:3389
    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 46.105.131.65:1512
    Source: Joe Sandbox ViewIP Address: 5.100.228.233 5.100.228.233
    Source: Joe Sandbox ViewIP Address: 80.86.91.27 80.86.91.27
    Source: Joe Sandbox ViewIP Address: 46.105.131.65 46.105.131.65
    Source: Joe Sandbox ViewIP Address: 77.220.64.37 77.220.64.37
    Source: Joe Sandbox ViewASN Name: SENTIANL SENTIANL
    Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
    Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
    Source: Joe Sandbox ViewJA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87
    Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
    Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
    Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
    Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
    Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
    Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
    Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
    Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
    Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
    Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
    Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
    Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
    Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
    Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
    Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
    Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
    Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
    Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
    Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
    Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
    Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
    Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
    Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.27
    Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
    Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
    Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
    Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
    Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
    Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
    Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
    Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
    Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
    Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
    Source: unknownTCP traffic detected without corresponding DNS query: 5.100.228.233
    Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
    Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
    Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
    Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
    Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
    Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
    Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
    Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
    Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
    Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
    Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
    Source: unknownTCP traffic detected without corresponding DNS query: 46.105.131.65
    Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
    Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
    Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
    Source: unknownTCP traffic detected without corresponding DNS query: 77.220.64.37
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008C39F9 InternetReadFile,4_2_008C39F9
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2FECA1BF.emfJump to behavior
    Source: regsvr32.exe, 00000004.00000002.2406932128.000000000036D000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
    Source: DWWIN.EXE, 00000007.00000002.2260615326.0000000003250000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
    Source: regsvr32.exe, 00000004.00000002.2406932128.000000000036D000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
    Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2255931534.00000000036B4000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
    Source: unknownDNS traffic detected: queries for: education.scrollx.in
    Source: 3C428B1A3E5F57D887EC4B864FAC5DCC.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
    Source: DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
    Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
    Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2256367652.00000000001E0000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
    Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2261028499.000000000369D000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
    Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2255931534.00000000036B4000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2255931534.00000000036B4000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
    Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2255931534.00000000036B4000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
    Source: DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
    Source: DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
    Source: regsvr32.exe, 00000004.00000003.2205271774.00000000003D0000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
    Source: regsvr32.exe, 00000004.00000002.2406932128.000000000036D000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    Source: DWWIN.EXE, 00000007.00000002.2260615326.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
    Source: DWWIN.EXE, 00000007.00000002.2260615326.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
    Source: DWWIN.EXE, 00000007.00000002.2260811324.0000000003437000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
    Source: DWWIN.EXE, 00000007.00000002.2260811324.0000000003437000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
    Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2255931534.00000000036B4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
    Source: regsvr32.exe, 00000004.00000002.2406932128.000000000036D000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
    Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2255931534.00000000036B4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
    Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
    Source: regsvr32.exe, 00000004.00000002.2406932128.000000000036D000.00000004.00000020.sdmp, DWWIN.EXE, 00000007.00000002.2256367652.00000000001E0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
    Source: DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2261028499.000000000369D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
    Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2256367652.00000000001E0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
    Source: regsvr32.exe, 00000004.00000002.2409391868.0000000002390000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2261214468.0000000004000000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
    Source: regsvr32.exe, 00000003.00000002.2406957167.0000000001D90000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2407102495.00000000009A0000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2257019838.00000000024C0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
    Source: DWWIN.EXE, 00000007.00000002.2260811324.0000000003437000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
    Source: DWWIN.EXE, 00000007.00000002.2260811324.0000000003437000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
    Source: regsvr32.exe, 00000004.00000002.2409391868.0000000002390000.00000002.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2261214468.0000000004000000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
    Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000002.2256367652.00000000001E0000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
    Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2255931534.00000000036B4000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
    Source: DWWIN.EXE, 00000007.00000002.2260615326.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
    Source: DWWIN.EXE, 00000007.00000002.2260811324.0000000003437000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
    Source: DWWIN.EXE, 00000007.00000002.2260615326.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
    Source: DWWIN.EXE, 00000007.00000002.2260615326.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
    Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmpString found in binary or memory: https://46.105.131.65/
    Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmpString found in binary or memory: https://46.105.131.65:1512/
    Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmpString found in binary or memory: https://46.105.131.65:1512/an
    Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233/
    Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233/=
    Source: regsvr32.exe, 00000004.00000003.2205277449.00000000003DD000.00000004.00000001.sdmpString found in binary or memory: https://5.100.228.233:3389/
    Source: regsvr32.exe, 00000004.00000002.2406908102.000000000033F000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233:3389/H
    Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233:3389/In
    Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233:3389/in
    Source: regsvr32.exe, 00000004.00000002.2406908102.000000000033F000.00000004.00000020.sdmpString found in binary or memory: https://5.100.228.233:3389/o
    Source: regsvr32.exe, 00000004.00000002.2406932128.000000000036D000.00000004.00000020.sdmpString found in binary or memory: https://77.220.64.37/-39;
    Source: regsvr32.exe, 00000004.00000002.2406932128.000000000036D000.00000004.00000020.sdmpString found in binary or memory: https://77.220.64.37/0;
    Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmpString found in binary or memory: https://80.86.91.27/
    Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmpString found in binary or memory: https://80.86.91.27:3308/TATE
    Source: regsvr32.exe, 00000004.00000002.2406981782.00000000003DD000.00000004.00000020.sdmpString found in binary or memory: https://80.86.91.27:3308/XPRE
    Source: regsvr32.exe, 00000004.00000003.2205261646.00000000003B1000.00000004.00000001.sdmp, DWWIN.EXE, 00000007.00000003.2256002610.000000000015E000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49346
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49224
    Source: unknownNetwork traffic detected: HTTP traffic on port 49294 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49342
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49220
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49187
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49183
    Source: unknownNetwork traffic detected: HTTP traffic on port 49242 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49374 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49207 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49191 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49199 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49342 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49233 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49338
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49216
    Source: unknownNetwork traffic detected: HTTP traffic on port 49302 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49334
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49212
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49298
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49330
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
    Source: unknownNetwork traffic detected: HTTP traffic on port 49262 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49294
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
    Source: unknownNetwork traffic detected: HTTP traffic on port 49354 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49290
    Source: unknownNetwork traffic detected: HTTP traffic on port 49224 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49282 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49238 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49322 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49207
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49326
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49203
    Source: unknownNetwork traffic detected: HTTP traffic on port 49187 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49322
    Source: unknownNetwork traffic detected: HTTP traffic on port 49330 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49286
    Source: unknownNetwork traffic detected: HTTP traffic on port 49286 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49318 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49282
    Source: unknownNetwork traffic detected: HTTP traffic on port 49338 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49386 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49258 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49318
    Source: unknownNetwork traffic detected: HTTP traffic on port 49216 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49250 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49314
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49278
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49310
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49398
    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49274
    Source: unknownNetwork traffic detected: HTTP traffic on port 49394 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49394
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49270
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49390
    Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49278 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49310 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49366 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49270 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49306
    Source: unknownNetwork traffic detected: HTTP traffic on port 49326 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49302
    Source: unknownNetwork traffic detected: HTTP traffic on port 49290 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49406 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49266
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49386
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49262
    Source: unknownNetwork traffic detected: HTTP traffic on port 49370 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49382
    Source: unknownNetwork traffic detected: HTTP traffic on port 49246 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49378 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49298 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49306 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49346 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49220 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49258
    Source: unknownNetwork traffic detected: HTTP traffic on port 49266 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49350 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49378
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49410
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49254
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49374
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49250
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49370
    Source: unknownNetwork traffic detected: HTTP traffic on port 49203 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49228 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49358 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49406
    Source: unknownNetwork traffic detected: HTTP traffic on port 49410 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49402
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49246
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49366
    Source: unknownNetwork traffic detected: HTTP traffic on port 49183 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49242
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49362
    Source: unknownNetwork traffic detected: HTTP traffic on port 49334 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49254 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49212 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49382 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49238
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49358
    Source: unknownNetwork traffic detected: HTTP traffic on port 49398 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49233
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49354
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49199
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49350
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49195
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49191
    Source: unknownNetwork traffic detected: HTTP traffic on port 49390 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49314 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49402 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49274 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49362 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49228
    Source: unknownHTTPS traffic detected: 104.27.153.52:443 -> 192.168.2.22:49165 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49166 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49171 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49175 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49179 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49183 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49187 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49191 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49195 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49199 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49203 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49207 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49212 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49216 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49220 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49224 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49228 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49233 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49238 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49242 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49246 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49250 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49254 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49258 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49262 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49266 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49270 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49274 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49278 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49282 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49286 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49290 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49294 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49298 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49302 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49306 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49310 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49314 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49318 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49322 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49326 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49330 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49334 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49338 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49342 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49346 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49350 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49354 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49358 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49362 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49366 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49370 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49374 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49378 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49382 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49386 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49390 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49394 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49398 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49402 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49406 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.22:49410 version: TLS 1.2

    E-Banking Fraud:

    barindex
    Detected Dridex e-Banking trojanShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00895150 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW,4_2_00895150
    Source: C:\Windows\System32\DWWIN.EXEFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCCJump to dropped file

    System Summary:

    barindex
    Document contains an embedded VBA macro which may execute processesShow sources
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")Name: pagesREviewsd
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")Name: pagesREviewsd
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: Inv0209966048-20210111075675.xlsInitial sample: CALL
    Source: Inv0209966048-20210111075675.xlsInitial sample: CALL
    Office process drops PE fileShow sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\lwjmdgav.dllJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\w80l82r[1].zipJump to dropped file
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008A22A0 NtDelayExecution,4_2_008A22A0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008BBE30 NtClose,4_2_008BBE30
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008951504_2_00895150
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008AE0A04_2_008AE0A0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008BDCA04_2_008BDCA0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B50A04_2_008B50A0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B4CA04_2_008B4CA0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B5CB04_2_008B5CB0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008A88C04_2_008A88C0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008A8CC04_2_008A8CC0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008A98DA4_2_008A98DA
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0089ACD04_2_0089ACD0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008AA0D04_2_008AA0D0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B10204_2_008B1020
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008AD0304_2_008AD030
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008AD9804_2_008AD980
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008BD1804_2_008BD180
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008AC5904_2_008AC590
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0089F9A04_2_0089F9A0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008AFDD04_2_008AFDD0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B89F04_2_008B89F0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B71F04_2_008B71F0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008A75644_2_008A7564
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008915704_2_00891570
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008AAE804_2_008AAE80
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008A8AB04_2_008A8AB0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B1EB04_2_008B1EB0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B26B04_2_008B26B0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B3EC04_2_008B3EC0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008BFA104_2_008BFA10
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00896AD04_2_00896AD0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008A96D04_2_008A96D0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008AF6E04_2_008AF6E0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008AB6F04_2_008AB6F0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008A8EF04_2_008A8EF0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B62F04_2_008B62F0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0089CA104_2_0089CA10
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008BFA104_2_008BFA10
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B02204_2_008B0220
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008BD6204_2_008BD620
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B12404_2_008B1240
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008AA6604_2_008AA660
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B76604_2_008B7660
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B2E604_2_008B2E60
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00899E704_2_00899E70
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008A9E704_2_008A9E70
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008A67C84_2_008A67C8
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008A83C04_2_008A83C0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008A7FC04_2_008A7FC0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B7FC04_2_008B7FC0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008AE3F04_2_008AE3F0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B3B004_2_008B3B00
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B9B104_2_008B9B10
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008B17304_2_008B1730
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008ABF504_2_008ABF50
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_008A5B604_2_008A5B60
    Source: Inv0209966048-20210111075675.xlsOLE, VBA macro line: Private Sub view_1_a_Layout(ByVal Index As Long)
    Source: VBA code instrumentationOLE, VBA macro: Module Sheet1, Function view_1_a_LayoutName: view_1_a_Layout
    Source: Inv0209966048-20210111075675.xlsOLE indicator, VBA macros: true
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1488
    Source: w80l82r[1].zip.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: w80l82r[1].zip.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: w80l82r[1].zip.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: w80l82r[1].zip.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: lwjmdgav.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: lwjmdgav.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: lwjmdgav.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: lwjmdgav.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: DWWIN.EXE, 00000007.00000002.2260615326.0000000003250000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
    Source: classification engineClassification label: mal100.bank.expl.evad.winXLS@9/18@1/5
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
    Source: C:\Windows\System32\DWWIN.EXEMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2028
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE407.tmpJump to behavior
    Source: Inv0209966048-20210111075675.xlsOLE indicator, Workbook stream: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\DWWIN.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\DWWIN.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Inv0209966048-20210111075675.xlsVirustotal: Detection: 45%
    Source: Inv0209966048-20210111075675.xlsMetadefender: Detection: 16%
    Source: Inv0209966048-20210111075675.xlsReversingLabs: Detection: 34%