trickbot | 52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929

Target

52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe
Size

660KB
MD5

3ba7d3dbc17ce640e0bb3dd5f989169b
SHA1

84ee0b6e02339f1deb33d75693551db444923ba8
SHA256

52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929
SHA512

3a683b35dc6b6c17de5a21171625c3fb5259d60c73867aa81b89cedeef61f1b95cce099cc5bb4fdeb2ddf7f2f0236c6d877970768a7f91330ecfbbc38931a231

Score

10^/10

trickbot tar2 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100001

Botnet

tar2

66.85.183.5:443

185.163.47.157:443

94.140.115.99:443

195.123.240.40:443

195.123.241.226:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
6	api.ipify.org
7	api.ipify.org

Drops file in System32 directory 1 IoCs

Processes:

wermgr.exe

description	ioc	Process
File created	C:\Windows\system32\cn\cgnxqkv.txt	wermgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wermgr.execmd.exe

description	pid	Process
Token: SeDebugPrivilege	1084	wermgr.exe
Token: SeDebugPrivilege	528	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe

pid	Process
2024	52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe
2024	52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe

Suspicious use of WriteProcessMemory 524 IoCs

Processes:

52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exewermgr.exe

description	pid	Process	procid_target
PID 2024 wrote to memory of 1084	2024	52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe	30
PID 2024 wrote to memory of 1084	2024	52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe	30
PID 2024 wrote to memory of 1084	2024	52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe	30
PID 2024 wrote to memory of 1084	2024	52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe	30
PID 2024 wrote to memory of 1084	2024	52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe	30
PID 2024 wrote to memory of 1084	2024	52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe	30
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31
PID 1084 wrote to memory of 528	1084	wermgr.exe	31

C:\Users\Admin\AppData\Local\Temp\52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe
"C:\Users\Admin\AppData\Local\Temp\52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/528-3-0x0000000000000000-mapping.dmp

Download
memory/1084-2-0x0000000000000000-mapping.dmp

Download
memory/2024-0-0x0000000000390000-0x00000000003CE000-memory.dmp

Filesize
248KB

Download
memory/2024-1-0x00000000006D0000-0x000000000070A000-memory.dmp

Filesize
232KB

Download