trickbot | 01aa55a89b1daf73919d9e2e8d4570be3a1f5df44d9b085d097b75a153e93a56

Analysis

max time kernel
297s
max time network
298s
platform
windows10_x64
resource
win10v200430
submitted
10/07/2020, 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CHIL64KIOL.exe
Size

535KB
MD5

5bf8e55247c38900f94178eca68df336
SHA1

2ebb72e08ff2c146c85d37bc7c966be263174ef1
SHA256

01aa55a89b1daf73919d9e2e8d4570be3a1f5df44d9b085d097b75a153e93a56
SHA512

618a5d8f0059e97f053c8d43c406ff1ff9d582abdf9a0bfe81669f46c576c0c3f3506ebe20dd2423e2a3fc46cd9dc5c2d046f5e57c4944490f32490ebc93a0f6

Score

10^/10

spyware trojan banker trickbot

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

chil64

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Suspicious use of WriteProcessMemory 758 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 3912	1740	CHIL64KIOL.exe	73
PID 1740 wrote to memory of 3912	1740	CHIL64KIOL.exe	73
PID 1740 wrote to memory of 3912	1740	CHIL64KIOL.exe	73
PID 1740 wrote to memory of 3912	1740	CHIL64KIOL.exe	73
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 3416	3912	wermgr.exe	76
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77
PID 3912 wrote to memory of 64	3912	wermgr.exe	77

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3912	wermgr.exe
Token: SeDebugPrivilege	3912	wermgr.exe
Token: SeDebugPrivilege	3912	wermgr.exe
Token: SeDebugPrivilege	3416	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3416	svchost.exe
3416	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ipecho.net

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

C:\Users\Admin\AppData\Local\Temp\CHIL64KIOL.exe
"C:\Users\Admin\AppData\Local\Temp\CHIL64KIOL.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  PID:3912
- - C:\Windows\system32\svchost.exe
    svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    PID:3416
- - C:\Windows\system32\svchost.exe
    svchost.exe
    3⤵
    PID:64

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-61-0x0000000180000000-0x0000000180016000-memory.dmp

Filesize
88KB

Download
memory/1740-0-0x0000000000960000-0x0000000000993000-memory.dmp

Filesize
204KB

Download
memory/3416-4-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-5-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-6-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-7-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-8-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-9-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-10-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-11-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-12-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-13-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-14-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-15-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-16-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-17-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-18-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-19-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-20-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-21-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-22-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-23-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-24-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-25-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-26-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-27-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-28-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-29-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-30-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-31-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-32-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-33-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-34-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-35-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-36-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-37-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-38-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-39-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-40-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-41-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-42-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-43-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-44-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-45-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-46-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-47-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-48-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-49-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-50-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-51-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-52-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-53-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-54-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-55-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-56-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-57-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-58-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download
memory/3416-59-0x0000017B666C0000-0x0000017B666C1000-memory.dmp

Filesize
4KB

Download