Analysis Report SecuriteInfo.com.Exploit.Siggen3.10350.15803.23095

AV Detection:

Antivirus detection for URL or domain

Source: http://www.chipmania.it/mails/open.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: wermgr.exe.2408.6.memstr

Malware Configuration Extractor: Trickbot {"gtag": "rob60", "C2 list": ["116.68.162.92:443", "190.239.34.181:443", "154.0.134.130:443", "187.95.136.38:443", "123.231.180.130:443", "109.69.4.201:443", "45.184.189.34:443", "193.8.194.96:443"], "modules": ["pwgrab", "mcconf"]}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls	Virustotal: Detection: 11%			Perma Link
Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls	ReversingLabs: Detection: 27%

Yara detected Trickbot

Source: Yara match

File source: Process Memory Space: wermgr.exe PID: 2408, type: MEMORY

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0007BCA0 CryptAcquireContextW,		6_2_0007BCA0
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018008B68C CryptUnprotectData,		10_2_000000018008B68C

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49178 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49179 version: TLS 1.0

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:

Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 00000004.00000002.2095142044.000000006E169000.00000002.00020000.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00061290 FindFirstFileW,FindNextFileW,		6_2_00061290
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_000646F0 FindFirstFileW,FindNextFileW,		6_2_000646F0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0007FBB0 FindFirstFileW,SleepEx,FindNextFileW,		6_2_0007FBB0

Software Vulnerabilities:

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: 10[1].jjkes.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Jump to behavior

Allocates a big amount of memory (probably used for heap spraying)

Source: excel.exe

Memory has grown: Private usage: 4MB later: 47MB

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax		6_2_00072C50
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax		6_2_000784E0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then cmp byte ptr [ecx+edx+01h], 00000000h		6_2_00061500
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax		6_2_000789B0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then movzx ecx, word ptr [eax+02h]		6_2_00069200
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov ecx, 00004E20h		6_2_00082659
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then movzx edx, word ptr [eax]		6_2_000646F0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc dword ptr [esp+40h]		6_2_000743C0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax		6_2_000743C0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc ecx		6_2_0007B050
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax		6_2_00073860
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec ecx		6_2_00081890
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax		6_2_00081890
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax		6_2_000698D0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp		6_2_000624E0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax		6_2_0006E9E0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax		6_2_00065DF0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then movzx eax, byte ptr [ebx]		6_2_0007BE20
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp		6_2_0007B240
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax		6_2_000772A0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc edx		6_2_0006BEC0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then movzx ebx, word ptr [eax]		6_2_00073B00
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov ebx, edx		6_2_0006EBE0

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.chipmania.it

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 94.140.114.136:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 185.81.0.78:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.22:49166 -> 94.140.114.136:443
Source: Traffic	Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.22:49170 -> 193.8.194.96:443
Source: Traffic	Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49170
Source: Traffic	Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49173
Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49174 -> 185.109.54.99:447
Source: Traffic	Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49175
Source: Traffic	Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49177
Source: Traffic	Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49178
Source: Traffic	Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49179

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 116.68.162.92:443
Source: Malware configuration extractor	IPs: 190.239.34.181:443
Source: Malware configuration extractor	IPs: 154.0.134.130:443
Source: Malware configuration extractor	IPs: 187.95.136.38:443
Source: Malware configuration extractor	IPs: 123.231.180.130:443
Source: Malware configuration extractor	IPs: 109.69.4.201:443
Source: Malware configuration extractor	IPs: 45.184.189.34:443
Source: Malware configuration extractor	IPs: 193.8.194.96:443

May check the online IP address of the machine

Source: unknown	DNS query: name: wtfismyip.com
Source: unknown	DNS query: name: wtfismyip.com
Source: unknown	DNS query: name: wtfismyip.com
Source: unknown	DNS query: name: wtfismyip.com

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 11

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49174 -> 185.109.54.99:447

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.81.0.78 185.81.0.78
Source: Joe Sandbox View	IP Address: 193.8.194.96 193.8.194.96

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: LINTASARTA-AS-APNetworkAccessProviderandInternetServic LINTASARTA-AS-APNetworkAccessProviderandInternetServic
Source: Joe Sandbox View	ASN Name: TelefonicadelPeruSAAPE TelefonicadelPeruSAAPE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 8c4a22651d328568ec66382a84fc505f

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: POST /rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/83/ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=---------FNVPIRVIEKQTDGGIConnection: CloseUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 116.68.162.92:443Content-Length: 282Cache-Control: no-cache

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49178 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49179 version: TLS 1.0

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown	TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown	TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown	TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown	TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown	TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown	TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown	TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown	TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown	TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown	TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown	TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown	TCP traffic detected without corresponding DNS query: 185.109.54.99

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /text HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.71.0Host: wtfismyip.com

Found strings which match to known social media urls

Source: rundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.chipmania.it

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/83/ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=---------FNVPIRVIEKQTDGGIConnection: CloseUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 116.68.162.92:443Content-Length: 282Cache-Control: no-cache

Urls found in memory or binary data

Source: wermgr.exe, 00000006.00000002.2357365100.0000000000423000.00000004.00000020.sdmp	String found in binary or memory: Https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/bnfhZJn91PhwAc8eqCIkI2c
Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmp	String found in binary or memory: http://109.69.4.201:443
Source: wermgr.exe, 00000006.00000002.2362068163.0000000032D8C000.00000004.00000040.sdmp, wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmp	String found in binary or memory: http://116.68.162.92:443
Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmp	String found in binary or memory: http://123.231.180.130:443
Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmp	String found in binary or memory: http://154.0.134.130:443
Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmp	String found in binary or memory: http://187.95.136.38:443
Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmp	String found in binary or memory: http://190.239.34.181:443
Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmp	String found in binary or memory: http://45.184.189.34:443
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: wermgr.exe, 00000006.00000003.2299229842.0000000033367000.00000004.00000001.sdmp	String found in binary or memory: http://crl.use
Source: wermgr.exe, 00000006.00000002.2357365100.0000000000423000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enl
Source: rundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2095488522.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094574045.0000000001F57000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2363189685.0000000033D17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357387753.0000000000A37000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2095488522.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094574045.0000000001F57000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2363189685.0000000033D17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357387753.0000000000A37000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: wermgr.exe, 00000006.00000003.2299229842.0000000033367000.00000004.00000001.sdmp	String found in binary or memory: http://logo.veri
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: wermgr.exe, 00000006.00000002.2362599901.0000000033740000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2357215363.0000000000800000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: wermgr.exe, 00000006.00000002.2363434960.0000000034070000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: rundll32.exe, 00000003.00000002.2095488522.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094574045.0000000001F57000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2363189685.0000000033D17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357387753.0000000000A37000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2095488522.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094574045.0000000001F57000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2363189685.0000000033D17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357387753.0000000000A37000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: wermgr.exe, 00000006.00000002.2362599901.0000000033740000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2357215363.0000000000800000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2095488522.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094574045.0000000001F57000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2363189685.0000000033D17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357387753.0000000000A37000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: wermgr.exe, 00000006.00000002.2362554842.00000000333A0000.00000004.00000001.sdmp	String found in binary or memory: https://185.109.54.99:447/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/5/pwgrab64/
Source: wermgr.exe, 00000006.00000002.2357365100.0000000000423000.00000004.00000020.sdmp	String found in binary or memory: https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/jvvnxhpdjrND3fPr33rZPHh
Source: wermgr.exe, 00000006.00000002.2362547188.0000000033395000.00000004.00000001.sdmp	String found in binary or memory: https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/
Source: wermgr.exe, 00000006.00000002.2357267628.0000000000340000.00000004.00000020.sdmp	String found in binary or memory: https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/U
Source: wermgr.exe, 00000006.00000002.2362547188.0000000033395000.00000004.00000001.sdmp	String found in binary or memory: https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/o
Source: wermgr.exe, 00000006.00000002.2362530513.000000003337E000.00000004.00000001.sdmp	String found in binary or memory: https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DEBG//e
Source: wermgr.exe, 00000006.00000002.2362547188.0000000033395000.00000004.00000001.sdmp	String found in binary or memory: https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//
Source: wermgr.exe, 00000006.00000002.2362547188.0000000033395000.00000004.00000001.sdmp	String found in binary or memory: https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//3
Source: wermgr.exe, 00000006.00000002.2362536618.0000000033385000.00000004.00000001.sdmp	String found in binary or memory: https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//W
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

E-Banking Fraud:

Yara detected Trickbot

Source: Yara match

File source: Process Memory Space: wermgr.exe PID: 2408, type: MEMORY

System Summary:

Found malicious Excel 4.0 Macro

Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls

Initial sample: urlmon

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing button from the yellow bar above 15 " Once you have enabled editing, please click
Source: Screenshot number: 4	Screenshot OCR: Enable content button jl , ' ' "==~ " from the yellow bar above 1| 24 25 26 27 28 29 30
Source: Document image extraction number: 0	Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
Source: Document image extraction number: 0	Screenshot OCR: Enable content button from the yellow bar above I \ , I ' /
Source: Document image extraction number: 1	Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
Source: Document image extraction number: 1	Screenshot OCR: Enable content button from the yellow bar above j'

Found Excel 4.0 Macro with suspicious formulas

Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls

Initial sample: EXEC

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\BASE.BABAA			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0007B470 NtDelayExecution,		6_2_0007B470
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0006F6B0 NtQueryInformationProcess,		6_2_0006F6B0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_000743C0 NtQuerySystemInformation,DuplicateHandle,CLSIDFromString,CloseHandle,HeapFree,		6_2_000743C0

Detected potential crypto function

Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00068010		6_2_00068010
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00082060		6_2_00082060
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0007D0A0		6_2_0007D0A0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0007BCA0		6_2_0007BCA0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00078CA0		6_2_00078CA0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0006E0F0		6_2_0006E0F0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00061500		6_2_00061500
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_000789B0		6_2_000789B0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00069200		6_2_00069200
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00061290		6_2_00061290
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0006C290		6_2_0006C290
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_000743C0		6_2_000743C0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00077840		6_2_00077840
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00080870		6_2_00080870
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_000644C0		6_2_000644C0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_000790E0		6_2_000790E0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_000714F0		6_2_000714F0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00076100		6_2_00076100
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00076D10		6_2_00076D10
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00072580		6_2_00072580
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0007CA00		6_2_0007CA00
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0007BE20		6_2_0007BE20
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00077630		6_2_00077630
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0007CE70		6_2_0007CE70
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0006A280		6_2_0006A280
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0006CEB0		6_2_0006CEB0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00073B00		6_2_00073B00
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0007B700		6_2_0007B700
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0006E310		6_2_0006E310
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00062720		6_2_00062720
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00075F70		6_2_00075F70
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_000763A8		6_2_000763A8
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_000717B0		6_2_000717B0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00110040		6_2_00110040
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180014030		10_2_0000000180014030
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800B5134		10_2_00000001800B5134
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800A114C		10_2_00000001800A114C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800A0200		10_2_00000001800A0200
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018001F204		10_2_000000018001F204
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800873D0		10_2_00000001800873D0
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018008C5F4		10_2_000000018008C5F4
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018008B874		10_2_000000018008B874
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018009AAF4		10_2_000000018009AAF4
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018001EC6C		10_2_000000018001EC6C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800B4D04		10_2_00000001800B4D04
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018008BF24		10_2_000000018008BF24
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018008E000		10_2_000000018008E000
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180093044		10_2_0000000180093044
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180086048		10_2_0000000180086048
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800210A4		10_2_00000001800210A4
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180003174		10_2_0000000180003174
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180005190		10_2_0000000180005190
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018008C188		10_2_000000018008C188
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800651D8		10_2_00000001800651D8
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018008E218		10_2_000000018008E218
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018008D22C		10_2_000000018008D22C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800A9250		10_2_00000001800A9250
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180023258		10_2_0000000180023258
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180001270		10_2_0000000180001270
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180010298		10_2_0000000180010298
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018001C2A8		10_2_000000018001C2A8
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800022B0		10_2_00000001800022B0
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180016340		10_2_0000000180016340
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018002535C		10_2_000000018002535C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018007B3A8		10_2_000000018007B3A8
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800123C4		10_2_00000001800123C4
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018008C3D0		10_2_000000018008C3D0
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800B3420		10_2_00000001800B3420
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018008E478		10_2_000000018008E478
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800794B8		10_2_00000001800794B8
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800054D4		10_2_00000001800054D4
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800A14D4		10_2_00000001800A14D4
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800034E0		10_2_00000001800034E0
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018009150C		10_2_000000018009150C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180063548		10_2_0000000180063548
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800CB548		10_2_00000001800CB548
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800CA564		10_2_00000001800CA564
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018005D59C		10_2_000000018005D59C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800015A8		10_2_00000001800015A8
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800935A4		10_2_00000001800935A4
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800A25D0		10_2_00000001800A25D0
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018007E5E0		10_2_000000018007E5E0
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180002614		10_2_0000000180002614
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018008E668		10_2_000000018008E668
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018001E6A4		10_2_000000018001E6A4
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800B073C		10_2_00000001800B073C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180019748		10_2_0000000180019748
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800CB7C0		10_2_00000001800CB7C0
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800B27E0		10_2_00000001800B27E0
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018000381C		10_2_000000018000381C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800C5828		10_2_00000001800C5828
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018008C844		10_2_000000018008C844
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180060854		10_2_0000000180060854
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800018EC		10_2_00000001800018EC
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018001B8F4		10_2_000000018001B8F4
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018008E938		10_2_000000018008E938
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180002958		10_2_0000000180002958
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018001897C		10_2_000000018001897C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800A99B0		10_2_00000001800A99B0
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800C49AC		10_2_00000001800C49AC
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800249B8		10_2_00000001800249B8
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800A3A2C		10_2_00000001800A3A2C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180032A2C		10_2_0000000180032A2C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018008BAFC		10_2_000000018008BAFC
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018001DB00		10_2_000000018001DB00
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018001DB04		10_2_000000018001DB04
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018001BB4C		10_2_000000018001BB4C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180090B48		10_2_0000000180090B48
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180003B54		10_2_0000000180003B54
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018008DBA4		10_2_000000018008DBA4
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018005CBF0		10_2_000000018005CBF0
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180001C28		10_2_0000000180001C28
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180017C44		10_2_0000000180017C44
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800C1D10		10_2_00000001800C1D10
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180097D1C		10_2_0000000180097D1C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800ACD50		10_2_00000001800ACD50
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800AEDB4		10_2_00000001800AEDB4
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180096DDC		10_2_0000000180096DDC
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800A1E2C		10_2_00000001800A1E2C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180091E50		10_2_0000000180091E50
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180004E50		10_2_0000000180004E50
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800BFE6C		10_2_00000001800BFE6C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018007DE68		10_2_000000018007DE68
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018008CE80		10_2_000000018008CE80
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_000000018006CEB8		10_2_000000018006CEB8
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180001F6C		10_2_0000000180001F6C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000000180035F70		10_2_0000000180035F70
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800AFFA4		10_2_00000001800AFFA4

Document contains embedded VBA macros

Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls

OLE indicator, VBA macros: true

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
Source: Joe Sandbox View	Dropped File: C:\Users\user\BASE.BABAA AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe

Section loaded: imagepop.dll

Jump to behavior

Yara signature match

Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls, type: SAMPLE

Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Binary contains paths to development resources

Source: rundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLS@14/18@8/13

Contains functionality to adjust token privileges (e.g. debug / backup)

Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00064C40 LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,		6_2_00064C40
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_00000001800B4E1C LookupPrivilegeValueA,AdjustTokenPrivileges,		10_2_00000001800B4E1C

Contains functionality to enum processes or threads

Source: C:\Windows\System32\svchost.exe

Code function: 10_2_00000001800B5134 CreateToolhelp32Snapshot,Process32First,Process32Next,StrStrIA,

10_2_00000001800B5134

Contains functionality to instantiate COM classes

Source: C:\Windows\System32\wermgr.exe

Code function: 6_2_0006376C CoCreateInstance,

6_2_0006376C

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\D3DE0000

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\wermgr.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{20D2CF44-ED8C-5F48-68CE-BDAC24C4F6AF}

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC5FD.tmp

Jump to behavior

Document contains an OLE Workbook stream indicating a Microsoft Excel file

Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls

OLE indicator, Workbook stream: true

Queries a list of all open handles

Source: C:\Windows\System32\wermgr.exe

System information queried: HandleInformation

Jump to behavior

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Runs a DLL by calling functions

Source: unknown

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer

Sample is known by Antivirus

Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls	Virustotal: Detection: 11%
Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls	ReversingLabs: Detection: 27%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: unknown	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-18:NT AUTHORITY\System:Service:
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor7737977537\rpBASEtx.rrd',DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor7737977537\rpBASEtx.rrd',DllRegisterServer			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\taskeng.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:

Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 00000004.00000002.2095142044.000000006E169000.00000002.00020000.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00321BD0 push dword ptr [edx+14h]; ret		4_2_00321CDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00321C7A push dword ptr [edx+14h]; ret		4_2_00321CDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00321CFD push dword ptr [edx+14h]; ret		4_2_00321CDD

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\BASE.BABAA			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\BASE.BABAA

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\BASE.BABAA			Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\BASE.BABAA

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\wermgr.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Source: C:\Windows\System32\wermgr.exe

Function Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,adjustToken,handleClosed,systemQueried,systemQueried,threadDelayed,handleClosed,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,languageOrLocalQueried,threadDelayed,threadDelayed,threadDelayed,threadInformationSet,threadInformationSet,systemQueried,systemQueried

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\System32\wermgr.exe

RDTSC instruction interceptor: First address: 000000000006EAD0 second address: 000000000006EAD0 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec esp 0x0000000b mov edi, eax 0x0000000d call dword ptr [0000E3AEh] 0x00000013 jmp 00007F6EE4D30110h 0x00000015 jmp dword ptr [0007C47Ah] 0x0000001b mov ecx, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 mov eax, dword ptr [7FFE0320h] 0x0000002a dec eax 0x0000002b imul eax, ecx 0x0000002e dec eax 0x0000002f shr eax, 18h 0x00000032 ret 0x00000033 inc esp 0x00000034 mov esi, eax 0x00000036 dec ecx 0x00000037 mov esi, edi 0x00000039 dec eax 0x0000003a xor esi, FFFFFF00h 0x00000040 dec ecx 0x00000041 and esi, edi 0x00000043 call 00007F6EE4D27FA6h 0x00000048 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\wermgr.exe

Code function: 6_2_0006EAD0 rdtsc

6_2_0006EAD0

Contains functionality to query network adapater information

Source: C:\Windows\System32\wermgr.exe

Code function: GetAdaptersInfo,

6_2_000784E0

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\taskeng.exe TID: 1288	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1464	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1464	Thread sleep time: -60000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\wermgr.exe	Last function: Thread delayed
Source: C:\Windows\System32\wermgr.exe	Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00061290 FindFirstFileW,FindNextFileW,		6_2_00061290
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_000646F0 FindFirstFileW,FindNextFileW,		6_2_000646F0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0007FBB0 FindFirstFileW,SleepEx,FindNextFileW,		6_2_0007FBB0

Contains functionality to query system information

Source: C:\Windows\System32\svchost.exe

Code function: 10_2_00000001800836A4 GetSystemInfo,

10_2_00000001800836A4

Queries a list of all running processes

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\wermgr.exe

Code function: 6_2_0006EAD0 rdtsc

6_2_0006EAD0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\wermgr.exe

Code function: 6_2_00073070 LdrLoadDll,

6_2_00073070

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E15B044 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_6E15B044

Enables debug privileges

Source: C:\Windows\System32\svchost.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E15B044 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_6E15B044
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E157DE5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_6E157DE5
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_00082060 SetCurrentDirectoryW,SleepEx,SetTimer,RtlAddVectoredExceptionHandler,		6_2_00082060

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: C:\Windows\System32\wermgr.exe base: 60000 protect: page execute and read and write

Jump to behavior

Hijacks the control flow in another process

Source: C:\Windows\System32\wermgr.exe

Memory written: PID: 2296 base: 180106000 value: FF

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: 60000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: FFC993F8			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 60000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 70000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: FF0E246C			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 180000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 70000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 180000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 70000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 180000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 70000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 180000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 180000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 180001000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 180001000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 1800DC000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 1800DC000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 180106000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 180106000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 18010C000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 18010C000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 180113000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 180113000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 180000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C0000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D0000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 70000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 180000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D0000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 300000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F30000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F50000			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\svchost.exe base: 70000			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor7737977537\rpBASEtx.rrd',DllRegisterServer			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: wermgr.exe, 00000006.00000002.2357397155.0000000000860000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: wermgr.exe, 00000006.00000002.2357397155.0000000000860000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: wermgr.exe, 00000006.00000002.2357397155.0000000000860000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\wermgr.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\System32\taskeng.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Trickbot

Source: Yara match

File source: Process Memory Space: wermgr.exe PID: 2408, type: MEMORY

Yara detected Trickbot

Source: Yara match	File source: 00000004.00000002.2094061002.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2089754481.00000000006C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2089764139.00000000006C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2094284509.0000000000690000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2094761896.0000000002198000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.defaultSecurityPreloadState.txt			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.defaultcompatibility.ini			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.defaultAlternateServices.txt			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History.bak			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.defaultSiteSecurityServiceState.txt			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior

Remote Access Functionality:

Yara detected Trickbot

Source: Yara match

File source: Process Memory Space: wermgr.exe PID: 2408, type: MEMORY

Yara detected Trickbot

Source: Yara match	File source: 00000004.00000002.2094061002.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2089754481.00000000006C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2089764139.00000000006C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2094284509.0000000000690000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2094761896.0000000002198000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE