Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
Analysis ID:	1391082
MD5:	11a2a91d1b8c9b3b0784d70a78f2da6f
SHA1:	5ecb42524c51dea5e2377419f77c25ed8fedf0b2
SHA256:	a57a3b08bfb8aec37a412a829baf276ce0dd2782927ccc925f4509c97680ea73
Tags:	exe
Infos:

Detection

Amadey, RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

Yara detected RisePro Stealer

Binary is likely a compiled AutoIt script file

Creates multiple autostart registry keys

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

PE file has nameless sections

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

PE file overlay found

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe (PID: 5384 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe MD5: 11A2A91D1B8C9B3B0784D70A78F2DA6F)

schtasks.exe (PID: 4524 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6848 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

jQVZ0AI5Ls1YopKhCBc3.exe (PID: 7836 cmdline: "C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe" MD5: 67B659FCDDF2F8C738A12D6E482A076B)

chrome.exe (PID: 7884 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.youtube.com/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1668 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=1936,i,1783626661732821117,8687075592315426283,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7944 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.linkedin.com/login MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7452 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1936,i,5473178486326315563,2545621214023589303,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8004 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.facebook.com/video MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8348 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1976,i,6856639093823868645,7335846577343969463,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8188 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.google.com/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8932 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1916,i,11065865018849172942,2521104990630376558,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 8852 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9564 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1912,i,15615417388423881991,543541311184639790,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7024 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9808 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1064 --field-trial-handle=2040,i,3936048782353792184,14433501436862568511,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7432 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com MD5: 69222B8101B0601CC6663F8381E7E00F)

chrome.exe (PID: 9604 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 10028 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 10192 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

firefox.exe (PID: 9616 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 9568 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6188 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

schtasks.exe (PID: 9452 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 9576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 9624 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 9372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dHERKKd2xGPyY5Ssqp_N.exe (PID: 10468 cmdline: "C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe" MD5: 027F0C0AE28575127E76E80E2E91D46D)

4sPiYiirBc4Eg8wqN443.exe (PID: 11020 cmdline: "C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe" MD5: 64D74B4DCF40E24D3F163421AD180350)

MPGPH131.exe (PID: 3700 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 11A2A91D1B8C9B3B0784D70A78F2DA6F)

MPGPH131.exe (PID: 4300 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 11A2A91D1B8C9B3B0784D70A78F2DA6F)

RageMP131.exe (PID: 7412 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 11A2A91D1B8C9B3B0784D70A78F2DA6F)

RageMP131.exe (PID: 8724 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 11A2A91D1B8C9B3B0784D70A78F2DA6F)

msedge.exe (PID: 9840 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9640 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=2072,i,1673978244121305096,9852326822399086703,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

firefox.exe (PID: 3392 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8992 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20230927232528 -prefsHandle 2284 -prefMapHandle 1816 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc5eb95e-32b5-4e67-b0fb-c26c990538d2} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 2000786cf10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 9608 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 10328 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

MSIUpdaterV131.exe (PID: 10624 cmdline: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe MD5: 027F0C0AE28575127E76E80E2E91D46D)

firefox.exe (PID: 10776 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 10928 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

MSIUpdaterV131.exe (PID: 9596 cmdline: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe MD5: 027F0C0AE28575127E76E80E2E91D46D)

AdobeUpdaterV131.exe (PID: 9188 cmdline: "C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe" MD5: 027F0C0AE28575127E76E80E2E91D46D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\P52521B9kqdb74d8LejmrZT.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\u5VRxrmyjWYJsGnPHociwt5.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\5QtvYXoJaghghg50zGLKyNk.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000002A.00000002.2084783663.0000000000DC1000.00000040.00000001.01000000.0000000E.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002B.00000002.2091149221.00000000000E1000.00000040.00000001.01000000.0000000F.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000030.00000002.2160160951.00000000000E1000.00000040.00000001.01000000.0000000F.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000030.00000003.2055220279.0000000004890000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002A.00000003.1921954403.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002B.00000003.2039950700.0000000004690000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
43.2.MSIUpdaterV131.exe.e0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
48.2.MSIUpdaterV131.exe.e0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
42.2.dHERKKd2xGPyY5Ssqp_N.exe.dc0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, ProcessId: 5384, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, ProcessId: 5384, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://185.215.113.46/mine/plaza.exe0v	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/plaza.exej	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/well.exemania	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/fu.exef	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/niks.exeeidi2JNoqCa0s9_1	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/ladas.exe86	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/plaza.exeb	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/plaza.exeuu	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/well.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/fu.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/ladas.exe3	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/ladas.exeA	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/amert.exeg	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/amert.exeS	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/plaza.exenu	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/ladas.exeT	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/ladas.exeb	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/ladas.exe17_	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/plaza.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/ladas.exev	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/fu.exert	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/plaza.exe7	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/plaza.exe6	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\fu[1].exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\fu[1].exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ladas[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\plaza[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\ladas[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\plaza[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\well[1].exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\fu[1].exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\ladas[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\plaza[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\well[1].exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\6EzL3hHTS7jbM2Oz3y4V.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\8PXzAAoEBuHCTzP4RBWU.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\WWQdc6vczGf1JWs0hh6W.exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\zFHlx6IqQx3xR1F02yH2.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\3rOLtV34Ut0fTkzynGHi.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\IDzOFuKIaHRpmM4TfCyF.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\KxZFCNaRhrDevdKhe6iU.exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\heidiOZ8O8BClDfN5\BzN7a4ewVcXrTgzQjQz2.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\heidiOZ8O8BClDfN5\HaJpYvk8t0RJ45fl1Ifn.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\heidiOZ8O8BClDfN5\HhXfzERnI4EYVEjNyANc.exe	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

ReversingLabs: Detection: 47%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A5FE20 CryptUnprotectData,CryptUnprotectData,		0_2_00A5FE20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002BFE20 CryptUnprotectData,CryptUnprotectData,		6_2_002BFE20

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A4C000 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,__Mtx_unlock,	0_2_00A4C000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00B1B005 recv,FindFirstFileExW,	0_2_00B1B005
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002AC000 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,__Mtx_unlock,	6_2_002AC000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0037B005 recv,FindFirstFileExW,	6_2_0037B005

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	File opened: C:\Users\user\Documents\desktop.ini

Source: firefox.exe

Memory has grown: Private usage: 1MB later: 96MB

Source: Joe Sandbox View	IP Address: 13.107.6.158 13.107.6.158
Source: Joe Sandbox View	IP Address: 204.79.197.200 204.79.197.200
Source: Joe Sandbox View	IP Address: 185.215.113.46 185.215.113.46
Source: Joe Sandbox View	IP Address: 185.215.113.46 185.215.113.46

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Code function: 0_2_00B1B005 recv,FindFirstFileExW,

0_2_00B1B005

Source: firefox.exe, 00000028.00000002.1887962885.00000298B6900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video --attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 00000022.00000002.1772637061.00000231DC0C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000022.00000002.1772637061.00000231DC0C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com( equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2393281421.0000020021E76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2525501401.0000020021E7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2479090169.0000020021E76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000024.00000002.1760940686.000001DF1A570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000003.2513312990.000002001F9EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2537031544.000002001F9EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .S........[tlsflags0x00000000]www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000022.00000002.1773334428.00000231DDDA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0`0https://www.youtube.com --attempting-deelevationUser equals www.youtube.com (Youtube)
Source: firefox.exe, 00000024.00000003.1759456164.000001DF1A58C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000024.00000002.1760940686.000001DF1A591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 7n7https://www.facebook.com/video --attempting-deelevationUser equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000003.2515159317.000002001F924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2538696647.000002001F924000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2560000631.000002001B2F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2399662965.00000200212EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2394735009.00000200212EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8e=nssBadCert&u=https%3A//www.youtube.com/&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2530333761.00000200212EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2560000631.000002001B2F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2506437316.00000200212EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8e=nssBadCert&u=https%3A//www.youtube.com/&c=UTF-8&d=%20@ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2529018882.000002002197A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2545471085.000002001BC3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000003.2549293313.000002001B95D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2507147692.0000020021289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2559211831.000002001B82A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000003.2530333761.00000200212D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2538913962.000002001F5C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2538913962.000002001F5D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000003.2529410708.0000020021573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2511786855.0000020020E88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2505263719.0000020021573000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2549293313.000002001B95D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2560000631.000002001B2F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2507147692.0000020021289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2393281421.0000020021E76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2525501401.0000020021E7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2479090169.0000020021E76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/p equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2560000631.000002001B2F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000003.2560000631.000002001B2F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2515159317.000002001F924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2538696647.000002001F924000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: :https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2447950789.0000020017D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @mozilla.org/network/background-file-saver;1?mode=streamlistenerhttp://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.1887962885.00000298B6900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.facebook.com/video--attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 00000024.00000002.1760940686.000001DF1A570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.facebook.com/videoSh equals www.facebook.com (Facebook)
Source: firefox.exe, 00000022.00000002.1772637061.00000231DC0C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000024.00000002.1760940686.000001DF1A570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/videoC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\DefaultQh equals www.facebook.com (Facebook)
Source: firefox.exe, 00000022.00000002.1772637061.00000231DC0C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.comC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Defaultl equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.1887962885.00000298B6900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000003.2512492000.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2536004477.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: O^partitionKey=%28https%2Cfacebook.com%29,:https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000003.2512492000.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2536004477.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: O^partitionKey=%28https%2Cyoutube.com%29,:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2440457824.0000020021579000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2529410708.0000020021573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2398315807.0000020021579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Qmoz-nullprincipal:{5b8e26e2-dc46-4106-a8b1-d605d72fda69}?https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2560000631.000002001B2DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000003.2560000631.000002001B2DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2507147692.0000020021289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2448027886.0000020017D80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2529410708.0000020021573000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: about:certerror?e=nssBadCert&u=https%3A//www.youtube.com/&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2530333761.00000200212EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2560000631.000002001B2F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2399662965.00000200212EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: e=nssBadCert&u=https%3A//www.youtube.com/&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2529018882.000002002197A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2277907438.000002001A8F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2545471085.000002001BC3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2546355697.000002001B9F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000003.2549293313.000002001B95D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2507147692.0000020021289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2559211831.000002001B82A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000003.2530333761.00000200212D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2538913962.000002001F5C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2538913962.000002001F5D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000003.2393281421.0000020021E94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021E95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021E94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2393281421.0000020021E94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2012410394.0000020019B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2549293313.000002001B95D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2560000631.000002001B2F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2507147692.0000020021289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2503321768.00000200215B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2529410708.00000200215B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2398315807.00000200215B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000024.00000003.1759456164.000001DF1A58C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000024.00000002.1760940686.000001DF1A591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.facebook.com/video --attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 00000022.00000002.1772637061.00000231DC0C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.youtube.com --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2519173933.000002001BFDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2510716950.0000020020EB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2535123302.0000020020EB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tlsflags0x00000000:www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2538913962.000002001F5D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2515891721.000002001F5D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2538913962.000002001F5E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000003.2393281421.0000020021E94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2540139218.000002001F5A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2535743839.0000020020E99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2511786855.0000020020E99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comp equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2408780882.000002001F973000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comtags________ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2513312990.000002001F9EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2537031544.000002001F9EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x.S........[tlsflags0x00000000]www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2512492000.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2536004477.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xO^partitionKey=%28https%2Cfacebook.com%29,:https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000003.2512492000.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2536004477.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xO^partitionKey=%28https%2Cyoutube.com%29,:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2507147692.0000020021289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2529410708.0000020021573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2491387296.0000020021E36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xabout:certerror?e=nssBadCert&u=https%3A//www.youtube.com/&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2546355697.000002001B9F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000003.2545471085.000002001BC3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2546355697.000002001B9F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2558878982.000002001B83D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000003.2278212608.000002001A8EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2512492000.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2536004477.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2278212608.000002001A8EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2512492000.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2536004477.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2503321768.00000200215B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2529410708.00000200215B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2398315807.00000200215B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.youtube.com^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000003.2510716950.0000020020EB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2535123302.0000020020EB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xtlsflags0x00000000:www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1661731813.0000000006643000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1650239381.0000000006643000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1652691922.0000000006643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/
Source: RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/fu.exe
Source: MPGPH131.exe, 00000006.00000003.2735491573.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2608514599.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/fu.exe(
Source: RageMP131.exe, 00000008.00000002.1939358806.000000000156C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/fu.exe)
Source: MPGPH131.exe, 00000007.00000003.2341146026.0000000005CE9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2626712828.0000000005CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/fu.exef
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/fu.exeger
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1650239381.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1661731813.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1652691922.0000000006631000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/fu.exert
Source: RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exe
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exe12
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exe13
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exe17_
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exe3
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exe3F
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exe83u
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exe86
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exe9x
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exeA
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000002.2086346307.00000000014FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exeS1
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exeT
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exeb
Source: MPGPH131.exe, 00000007.00000002.2626712828.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exehvpd
Source: MPGPH131.exe, 00000006.00000003.2735491573.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exet
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1950118970.0000000006643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exev
Source: RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/niks.exe
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/niks.exed2
Source: MPGPH131.exe, 00000007.00000003.2341146026.0000000005CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/niks.exeeidi2JNoqCa0s9_1
Source: RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/well.exe
Source: MPGPH131.exe, 00000007.00000002.2626712828.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/well.exe1a
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/well.exeN2
Source: RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/well.exemania
Source: RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/amert.exe
Source: RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/amert.exeS
Source: RageMP131.exe, 00000008.00000002.1939358806.000000000156C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/amert.exeau
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/amert.exeg
Source: RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exe
Source: MPGPH131.exe, 00000007.00000003.2341146026.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exe0v
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exe13
Source: MPGPH131.exe, 00000007.00000003.2341146026.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exe1rv
Source: MPGPH131.exe, 00000007.00000003.2341146026.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exe6
Source: MPGPH131.exe, 00000006.00000003.2735491573.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2608514599.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exe7
Source: MPGPH131.exe, 00000007.00000003.2341146026.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exe8
Source: MPGPH131.exe, 00000007.00000003.2341146026.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exe81
Source: MPGPH131.exe, 00000007.00000003.2341146026.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exe85kuue
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exe86
Source: MPGPH131.exe, 00000007.00000003.2341146026.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exe9
Source: MPGPH131.exe, 00000007.00000003.2341146026.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2626712828.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exeVube
Source: MPGPH131.exe, 00000007.00000003.2341146026.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exeb
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exej
Source: RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exeman2
Source: RageMP131.exe, 00000008.00000002.1939358806.000000000156C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exenu
Source: MPGPH131.exe, 00000007.00000003.2341146026.0000000005CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exesive.dll
Source: MPGPH131.exe, 00000007.00000003.2341146026.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exeuu
Source: firefox.exe, 00000027.00000003.2505263719.0000020021573000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://accounts.google.com/
Source: firefox.exe, 00000027.00000003.2553308884.000002001B884000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: firefox.exe, 00000027.00000003.2553308884.000002001B884000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: firefox.exe, 00000027.00000003.2542777005.000002001BCCA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: firefox.exe, 00000027.00000003.2515159317.000002001F924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2538696647.000002001F924000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0
Source: firefox.exe, 00000027.00000003.2441089239.00000200212F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000027.00000003.2008257223.0000020019C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/
Source: firefox.exe, 00000027.00000003.1949619169.0000020019DC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000027.00000003.2008257223.0000020019C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000027.00000003.2008257223.0000020019C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: firefox.exe, 00000027.00000003.2513312990.000002001F996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://json-schema.org/draft-07/schema#
Source: firefox.exe, 00000027.00000003.2513312990.000002001F996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://json-schema.org/draft-07/schema#-
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org
Source: firefox.exe, 00000027.00000003.2552897577.000002001B90D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/
Source: firefox.exe, 00000027.00000003.2278677697.000002001A854000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2355399254.00000200176F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1901938072.00000200176C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2094149182.00000200176EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1905616144.00000200176AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2278677697.000002001A883000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2214423557.000002001A89A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2345662599.00000200176A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2026712725.00000200176AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1905616144.00000200176C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2094149182.00000200176DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2549293313.000002001B937000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2077496755.0000020017691000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2298448290.000002001739A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1905553662.00000200176F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1899966098.00000200176D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2024819623.00000200176EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1899211633.00000200176D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2281683178.0000020019DC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1993999431.000002001A883000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1991165924.000002001A8AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: firefox.exe, 00000027.00000003.2515159317.000002001F924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2538696647.000002001F924000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog
Source: firefox.exe, 00000027.00000003.2542777005.000002001BCCA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: firefox.exe, 00000027.00000003.2515159317.000002001F924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2538696647.000002001F924000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: firefox.exe, 00000027.00000003.2542777005.000002001BCCA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: firefox.exe, 00000027.00000003.2515159317.000002001F924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2538696647.000002001F924000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 00000027.00000003.2545987773.000002001BC15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: firefox.exe, 00000027.00000003.2507147692.0000020021289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2531685400.0000020021289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 00000027.00000003.2513312990.000002001F9A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2515159317.000002001F924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2535743839.0000020020E99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2538696647.000002001F924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2537031544.000002001F9A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2511786855.0000020020E99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org
Source: firefox.exe, 00000027.00000003.2535743839.0000020020E99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2511786855.0000020020E99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org/
Source: firefox.exe, 00000027.00000003.2507147692.0000020021289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2545987773.000002001BC15000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2531685400.0000020021289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 0000002E.00000003.2739730282.0000026D26D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: firefox.exe, 00000029.00000003.2674811397.000002880C48E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2668913323.000002880C48E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2647414793.000002880C48B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2689777330.000002880C48E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2692565844.000002880C48E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: firefox.exe, 00000029.00000003.2674811397.000002880C48E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2668913323.000002880C48E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2647414793.000002880C48B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersl-n
Source: firefox.exe, 0000002E.00000003.2744790050.0000026D26D19000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2739730282.0000026D26D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comTTF
Source: firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.com0
Source: firefox.exe, 0000002E.00000003.2098306180.0000026D26FBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2032879779.0000026D26FBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2553038918.0000026D26FCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000029.00000003.2026050058.000002880BFB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul4e
Source: firefox.exe, 00000029.00000003.2026050058.000002880BFB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulQj
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000002.2076238508.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1484666355.0000000005340000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1532755673.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2765452640.00000000002A1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.1533495347.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2549739564.00000000002A1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.1636124507.0000000005320000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1887520841.00000000008C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000014.00000003.1843238183.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2088902875.00000000008C1000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: firefox.exe, 00000027.00000003.2447950789.0000020017D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com
Source: firefox.exe, 00000027.00000003.2529018882.000002002197A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: firefox.exe, 00000027.00000003.2507147692.0000020021289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2545471085.000002001BC3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2531685400.0000020021289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: firefox.exe, 00000027.00000003.2507147692.0000020021289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2545471085.000002001BC3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2531685400.0000020021289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000027.00000003.2553308884.000002001B8D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: firefox.exe, 00000027.00000003.1883235512.0000020017300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888767017.000002001753A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1889124800.0000020017557000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1889563330.0000020017573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888525532.000002001751E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1577933294.0000000006588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1576093941.000000000664A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1895410445.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1646223753.0000000005E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1651595245.0000000005C48000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1638857933.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1608053754.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1598861889.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1638775970.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1595883527.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1637417280.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1642307545.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1597873882.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000027.00000003.2559211831.000002001B820000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1989729068.000002001A8E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: firefox.exe, 00000027.00000003.2503321768.00000200215D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2529410708.00000200215D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2398315807.00000200215D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2440457824.00000200215D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 0000002C.00000002.1926569196.000001DEAF620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: firefox.exe, 0000002C.00000002.1926569196.000001DEAF620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com--attempting-deelevation
Source: firefox.exe, 00000027.00000003.2511786855.0000020020E99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: firefox.exe, 00000027.00000003.2546355697.000002001B98C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2511786855.0000020020E88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2461439392.00000200219F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2495701203.00000200219F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/https://accounts.google.com/
Source: jQVZ0AI5Ls1YopKhCBc3.exe, 0000000B.00000002.2765450458.00000000001F0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.1816315056.000001CAC95D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.comC:
Source: firefox.exe, 00000027.00000003.2240336859.00000200159A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2239968674.00000200159DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2447950789.0000020017D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4040738/cookie_autodelete-3.8.2.xpi
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4129240/privacy_badger17-2023.6.23.xpi
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4141092/facebook_container-2.3.11.xpi
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4141092/facebook_container-2.3.11.xpihttps://addon
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/506/506646-64.png?modified=mcrushed
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/506/506646-64.png?modified=mcrushed(browserSetting
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/784/784287-64.png?modified=mcrushed
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/784/784287-64.png?modified=mcrushedLe
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/954/954390-64.png?modified=97d4c956
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/954/954390-64.png?modified=97d4c956(browserSetting
Source: firefox.exe, 00000027.00000003.2548874875.000002001B981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: firefox.exe, 00000027.00000003.2400510109.000002001F919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1707763558474.12791&key=1707763558400900
Source: firefox.exe, 00000027.00000003.2475549501.0000020021EF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2400510109.000002001F919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1707763558474.12791&key=1707763558400900002.1&cta
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1577933294.0000000006588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1576093941.000000000664A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1895410445.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1646223753.0000000005E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1651595245.0000000005C48000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1638857933.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1608053754.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1598861889.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1638775970.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1595883527.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1637417280.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1642307545.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1597873882.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1577933294.0000000006588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1576093941.000000000664A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2034944261.0000000005C3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1895410445.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1646223753.0000000005E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1651595245.0000000005C48000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2061821580.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1638857933.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1608053754.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1598861889.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1638775970.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1595883527.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1637417280.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1642307545.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1597873882.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1577933294.0000000006588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1576093941.000000000664A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2034944261.0000000005C3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1895410445.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1646223753.0000000005E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1651595245.0000000005C48000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2061821580.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1638857933.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1608053754.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1598861889.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1638775970.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1595883527.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1637417280.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1642307545.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1597873882.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000027.00000003.1883235512.0000020017300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888767017.000002001753A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1889124800.0000020017557000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1889563330.0000020017573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888525532.000002001751E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000027.00000003.2475549501.0000020021EF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2400510109.000002001F919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgThi
Source: firefox.exe, 00000027.00000003.2475549501.0000020021EF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2400510109.000002001F919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/Itd_9Uful1tVwaV4hW73oqSvUYC6Gf8RNa3yg9HsqRE.3951.jpg
Source: firefox.exe, 00000027.00000003.2475549501.0000020021EF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2400510109.000002001F919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgA
Source: firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
Source: firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
Source: firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
Source: firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
Source: firefox.exe, 00000027.00000003.2558878982.000002001B83D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888525532.000002001751E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1577933294.0000000006588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1576093941.000000000664A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2034944261.0000000005C3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1895410445.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1646223753.0000000005E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1651595245.0000000005C48000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2061821580.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1595883527.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1642307545.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1577933294.0000000006588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1576093941.000000000664A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2034944261.0000000005C3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1895410445.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1646223753.0000000005E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1651595245.0000000005C48000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2061821580.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1595883527.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1642307545.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1577933294.0000000006588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1576093941.000000000664A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2034944261.0000000005C3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1895410445.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1646223753.0000000005E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1651595245.0000000005C48000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2061821580.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1595883527.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1642307545.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2047286420.0000020016D30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1893048353.0000020016D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2288146106.0000020016D26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2271612586.0000020016D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2047286420.0000020016D30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1893048353.0000020016D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2288146106.0000020016D26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2271612586.0000020016D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: firefox.exe, 00000027.00000003.2403028281.000002001F828000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2416872043.000002001F823000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000027.00000003.2401787867.000002001BEE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2412407578.000002001BEB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839
Source: firefox.exe, 00000029.00000003.2031086545.000002880BBBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1
Source: firefox.exe, 00000027.00000003.2240336859.00000200159A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000027.00000003.2560000631.000002001B2F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000027.00000003.2393281421.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 00000027.00000003.2393281421.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 00000027.00000003.2393281421.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 00000027.00000003.2393281421.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 00000027.00000003.2393281421.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 00000027.00000003.2393281421.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 00000027.00000003.2393281421.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 00000027.00000003.2560000631.000002001B2F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000027.00000003.2393281421.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 00000027.00000003.2440457824.00000200215B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000027.00000003.2393281421.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 00000027.00000003.2560000631.000002001B2F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000027.00000003.2545471085.000002001BC2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/cfworker
Source: firefox.exe, 00000027.00000003.2383860555.000002002136F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 00000027.00000003.2383860555.000002002136F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 00000027.00000003.1883235512.0000020017300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888767017.000002001753A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1889124800.0000020017557000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1889563330.0000020017573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888525532.000002001751E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: firefox.exe, 00000027.00000003.2513312990.000002001F9A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2537031544.000002001F9A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: firefox.exe, 00000029.00000003.2031086545.000002880BBBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 00000027.00000003.2393281421.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: firefox.exe, 00000027.00000003.2400510109.000002001F919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Zbr4ZHZ4CDa4pbW1CbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi
Source: RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: RageMP131.exe, 00000014.00000002.2099369510.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Fi
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1939358806.000000000156C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000002.2076238508.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1484666355.0000000005340000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1532755673.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2765452640.00000000002A1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.1533495347.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2549739564.00000000002A1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.1636124507.0000000005320000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1887520841.00000000008C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000014.00000003.1843238183.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2088902875.00000000008C1000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: RageMP131.exe, 00000008.00000002.1939358806.000000000154F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/i
Source: RageMP131.exe, 00000008.00000002.1939358806.000000000150E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/s
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2560943444.0000000000C90000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1939358806.000000000154F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1939358806.000000000156C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2099369510.00000000013E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.74
Source: RageMP131.exe, 00000008.00000002.1939358806.000000000154F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.74k
Source: RageMP131.exe, 00000014.00000002.2099369510.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.74n
Source: RageMP131.exe, 00000014.00000002.2099369510.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.74
Source: RageMP131.exe, 00000008.00000002.1939358806.000000000156C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.74P
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.74X9
Source: firefox.exe, 00000027.00000003.2549293313.000002001B937000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 00000027.00000003.2513312990.000002001F996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://json-schema.org/draft/2019-09/schema.
Source: firefox.exe, 00000027.00000003.2513312990.000002001F996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://json-schema.org/draft/2019-09/schema./
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://json-schema.org/draft/2019-09/schemaresource://gre/modules/JsonSchema.sys.mjs
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://json-schema.org/draft/2020-12/schema
Source: firefox.exe, 00000027.00000003.2513312990.000002001F996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://json-schema.org/draft/2020-12/schema/
Source: firefox.exe, 00000027.00000003.2513312990.000002001F996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://json-schema.org/draft/2020-12/schema/=
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://json-schema.org/draft/2020-12/schemaInstance
Source: firefox.exe, 00000027.00000003.2559211831.000002001B820000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1989729068.000002001A8E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: firefox.exe, 00000027.00000003.2559211831.000002001B820000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1989729068.000002001A8E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2047286420.0000020016D30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1893048353.0000020016D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2288146106.0000020016D26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2271612586.0000020016D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2047286420.0000020016D30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1893048353.0000020016D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2288146106.0000020016D26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2271612586.0000020016D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2047286420.0000020016D30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1893048353.0000020016D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2288146106.0000020016D26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2271612586.0000020016D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 00000027.00000003.2240336859.00000200159A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2240336859.00000200159C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2047286420.0000020016D30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1893048353.0000020016D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2288146106.0000020016D26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2271612586.0000020016D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2047286420.0000020016D30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1893048353.0000020016D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2288146106.0000020016D26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2271612586.0000020016D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 00000027.00000003.2240336859.00000200159A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000027.00000003.1888525532.000002001751E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000027.00000003.2240336859.00000200159C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.compd
Source: firefox.exe, 00000027.00000003.2440457824.00000200215B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 00000027.00000003.2507147692.00000200212A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000027.00000003.2491387296.0000020021E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000027.00000003.2393281421.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 00000027.00000003.2393281421.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 00000027.00000003.2240336859.00000200159A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2501812741.0000020021912000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2240336859.00000200159C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000027.00000003.2401787867.000002001BEE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2412407578.000002001BEB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def
Source: firefox.exe, 00000027.00000003.2401787867.000002001BEE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2412407578.000002001BEB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=spotlight
Source: firefox.exe, 00000027.00000003.1952540052.0000020019CE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2115706194.0000020019CEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2008257223.0000020019CE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2228321706.0000020019CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
Source: firefox.exe, 00000027.00000003.2277107716.000002001AECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: RageMP131.exe, 00000008.00000002.1939358806.000000000150E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botRomaniaG2
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botY2
Source: RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 00000027.00000003.2560000631.000002001B2F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tracking-protection.cdn.mozilla.net
Source: firefox.exe, 00000027.00000003.2529018882.000002002197A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tracking-protection.cdn.mozilla.net/
Source: firefox.exe, 00000027.00000003.2546355697.000002001B9F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tracking-protection.cdn.mozilla.net/ads-track-digest256/118.0/1693227274
Source: firefox.exe, 00000027.00000003.2546355697.000002001B9F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tracking-protection.cdn.mozilla.net/analytics-track-digest256/118.0/1693227274
Source: firefox.exe, 00000027.00000003.2546355697.000002001B9F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tracking-protection.cdn.mozilla.net/base-cryptomining-track-digest256/118.0/1693227274
Source: firefox.exe, 00000027.00000003.2546355697.000002001B9F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tracking-protection.cdn.mozilla.net/base-email-track-digest256/118.0/1693227274
Source: firefox.exe, 00000027.00000003.2546355697.000002001B9F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tracking-protection.cdn.mozilla.net/base-fingerprinting-track-digest256/118.0/1693227274
Source: firefox.exe, 00000027.00000003.2546355697.000002001B9F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tracking-protection.cdn.mozilla.net/content-email-track-digest256/118.0/1693227274
Source: firefox.exe, 00000027.00000003.2546355697.000002001B9F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tracking-protection.cdn.mozilla.net/content-track-digest256/118.0/1693227274
Source: firefox.exe, 00000027.00000003.2546355697.000002001B9F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tracking-protection.cdn.mozilla.net/google-trackwhite-digest256/118.0/1693227274
Source: firefox.exe, 00000027.00000003.2538913962.000002001F5D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tracking-protection.cdn.mozilla.net/mozplugin-block-digest256/1604686195
Source: firefox.exe, 00000027.00000003.2546355697.000002001B9F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tracking-protection.cdn.mozilla.net/mozstd-trackwhite-digest256/118.0/1693227274
Source: firefox.exe, 00000027.00000003.2546355697.000002001B9F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tracking-protection.cdn.mozilla.net/social-track-digest256/118.0/1693227274
Source: firefox.exe, 00000027.00000003.2546355697.000002001B9F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tracking-protection.cdn.mozilla.net/social-tracking-protection-facebook-digest256/118.0/1693
Source: firefox.exe, 00000027.00000003.2546355697.000002001B9F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tracking-protection.cdn.mozilla.net/social-tracking-protection-linkedin-digest256/118.0/1693
Source: firefox.exe, 00000027.00000003.2546355697.000002001B9F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tracking-protection.cdn.mozilla.net/social-tracking-protection-twitter-digest256/118.0/16932
Source: firefox.exe, 00000027.00000003.2240336859.00000200159A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2240336859.00000200159C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000027.00000003.2507147692.00000200212A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000027.00000003.2552897577.000002001B906000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 00000027.00000003.2552897577.000002001B906000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 00000027.00000003.2548874875.000002001B981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: firefox.exe, 00000027.00000003.2507147692.00000200212A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: firefox.exe, 00000027.00000003.2540139218.000002001F5A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475549501.0000020021EF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2461439392.00000200219F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2515891721.000002001F5A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2495701203.00000200219F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2400510109.000002001F919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_da35efdf7fb6b20d4be6a53f3a5c7579d215346ca6420c02
Source: firefox.exe, 00000027.00000003.1911985701.00000200139B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888525532.000002001751E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000027.00000003.2552897577.000002001B906000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 00000027.00000003.2552897577.000002001B906000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 00000027.00000003.2548874875.000002001B981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 00000027.00000003.2560000631.000002001B2DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 00000027.00000003.2548874875.000002001B981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: firefox.exe, 00000027.00000003.2560000631.000002001B2DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: firefox.exe, 00000027.00000003.2560000631.000002001B2DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: firefox.exe, 00000027.00000003.2552897577.000002001B906000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1577933294.0000000006588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1576093941.000000000664A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1895410445.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1646223753.0000000005E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1651595245.0000000005C48000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1638857933.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1608053754.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1598861889.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1638775970.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1595883527.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1637417280.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1642307545.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1597873882.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: firefox.exe, 00000027.00000003.2475549501.0000020021EF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2461439392.00000200219F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2495701203.00000200219F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2512492000.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2400510109.000002001F919000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2536004477.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 00000027.00000003.2532168987.000002002126D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: firefox.exe, 00000027.00000003.2288146106.0000020016D26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000027.00000003.1883235512.0000020017300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888767017.000002001753A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1889124800.0000020017557000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1889563330.0000020017573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888525532.000002001751E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1577933294.0000000006588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1576093941.000000000664A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2034944261.0000000005C3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1895410445.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1646223753.0000000005E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1651595245.0000000005C48000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2061821580.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1595883527.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1642307545.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 00000027.00000003.1911985701.00000200139B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888525532.000002001751E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000027.00000003.2475549501.0000020021EF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2400510109.000002001F919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.groupon.com/?utm_source=google&utm_medium=cpc&utm_campaign=us_dt_sea_ggl_txt_smp_sr_cbp_
Source: firefox.exe, 00000027.00000003.2548874875.000002001B981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 00000027.00000003.2548874875.000002001B981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 00000027.00000003.2548874875.000002001B981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: firefox.exe, 00000027.00000003.2553308884.000002001B8E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2530333761.00000200212D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2501812741.0000020021912000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2506437316.00000200212D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2394735009.00000200212D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2506437316.00000200212D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2441089239.00000200212CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 00000027.00000003.2549293313.000002001B937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/mobile/get-app/?utm_medium=firefox-desktop&utm_source=onboarding-mod
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000027.00000003.2393281421.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 00000027.00000003.2393281421.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2475835774.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/eware3
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1594912347.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1598136009.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1578119925.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1650239381.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1593050843.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1593804226.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1661731813.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1674131667.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1598652884.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1595881025.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.2041161160.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1599464044.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1592113511.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1957495064.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1590148708.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1607892653.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1597059747.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1811506898.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1607245468.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1591362920.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1602528714.0000000006631000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000027.00000003.1952540052.0000020019CE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2008257223.0000020019CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: firefox.exe, 00000027.00000003.2552897577.000002001B906000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2548874875.000002001B981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 00000027.00000003.2511786855.0000020020E99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000027.00000003.2552897577.000002001B906000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: firefox.exe, 00000027.00000003.2536004477.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 00000022.00000002.1772637061.00000231DC0C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com(
Source: firefox.exe, 00000027.00000003.2536004477.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000027.00000003.2393281421.0000020021E76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2525501401.0000020021E7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2479090169.0000020021E76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021E76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/p
Source: firefox.exe, 00000022.00000002.1772637061.00000231DC0C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.comC:
Source: firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
Source: firefox.exe, 00000027.00000003.2532823304.00000200211D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2507147692.00000200212A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com

System Summary

Binary is likely a compiled AutoIt script file

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.2039399612.0000000006E85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e3a10f8b-7
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.2039399612.0000000006E85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_99319674-b
Source: MPGPH131.exe, 00000006.00000003.2382855663.0000000006A11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6c4cfffb-8
Source: MPGPH131.exe, 00000006.00000003.2382855663.0000000006A11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4de99616-c
Source: MPGPH131.exe, 00000007.00000003.2507254460.00000000063CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_222d6919-c
Source: MPGPH131.exe, 00000007.00000003.2507254460.00000000063CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_cbf16adc-2
Source: jQVZ0AI5Ls1YopKhCBc3.exe, 0000000B.00000000.1665997434.0000000000932000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_196ca8d9-7
Source: jQVZ0AI5Ls1YopKhCBc3.exe, 0000000B.00000000.1665997434.0000000000932000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_cde2b0cd-5

PE file contains section with special chars

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Static PE information: section name: .idata
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: EdgeMS131.exe.0.dr	Static PE information: section name:
Source: EdgeMS131.exe.0.dr	Static PE information: section name: .idata
Source: EdgeMS131.exe.0.dr	Static PE information: section name:
Source: ladas[1].exe.0.dr	Static PE information: section name:
Source: ladas[1].exe.0.dr	Static PE information: section name: .idata
Source: ladas[1].exe.0.dr	Static PE information: section name:
Source: IDzOFuKIaHRpmM4TfCyF.exe.0.dr	Static PE information: section name:
Source: IDzOFuKIaHRpmM4TfCyF.exe.0.dr	Static PE information: section name: .idata
Source: IDzOFuKIaHRpmM4TfCyF.exe.0.dr	Static PE information: section name:
Source: niks[1].exe.0.dr	Static PE information: section name:
Source: niks[1].exe.0.dr	Static PE information: section name: .idata
Source: niks[1].exe.0.dr	Static PE information: section name:
Source: 4sPiYiirBc4Eg8wqN443.exe.0.dr	Static PE information: section name:
Source: 4sPiYiirBc4Eg8wqN443.exe.0.dr	Static PE information: section name: .idata
Source: 4sPiYiirBc4Eg8wqN443.exe.0.dr	Static PE information: section name:
Source: amert[1].exe.0.dr	Static PE information: section name:
Source: amert[1].exe.0.dr	Static PE information: section name: .idata
Source: amert[1].exe.0.dr	Static PE information: section name:
Source: dHERKKd2xGPyY5Ssqp_N.exe.0.dr	Static PE information: section name:
Source: dHERKKd2xGPyY5Ssqp_N.exe.0.dr	Static PE information: section name: .idata
Source: dHERKKd2xGPyY5Ssqp_N.exe.0.dr	Static PE information: section name:
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name:
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name: .idata
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name:
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name:
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name: .idata
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name:
Source: amert[1].exe.6.dr	Static PE information: section name:
Source: amert[1].exe.6.dr	Static PE information: section name: .idata
Source: amert[1].exe.6.dr	Static PE information: section name:
Source: tkp2xLI98ZeXjg0exnoU.exe.6.dr	Static PE information: section name:
Source: tkp2xLI98ZeXjg0exnoU.exe.6.dr	Static PE information: section name: .idata
Source: tkp2xLI98ZeXjg0exnoU.exe.6.dr	Static PE information: section name:
Source: niks[1].exe.6.dr	Static PE information: section name:
Source: niks[1].exe.6.dr	Static PE information: section name: .idata
Source: niks[1].exe.6.dr	Static PE information: section name:
Source: r3bD9GPTMOGYxgEqy2KG.exe.6.dr	Static PE information: section name:
Source: r3bD9GPTMOGYxgEqy2KG.exe.6.dr	Static PE information: section name: .idata
Source: r3bD9GPTMOGYxgEqy2KG.exe.6.dr	Static PE information: section name:
Source: ladas[1].exe.6.dr	Static PE information: section name:
Source: ladas[1].exe.6.dr	Static PE information: section name: .idata
Source: ladas[1].exe.6.dr	Static PE information: section name:
Source: BzN7a4ewVcXrTgzQjQz2.exe.6.dr	Static PE information: section name:
Source: BzN7a4ewVcXrTgzQjQz2.exe.6.dr	Static PE information: section name: .idata
Source: BzN7a4ewVcXrTgzQjQz2.exe.6.dr	Static PE information: section name:
Source: niks[1].exe.7.dr	Static PE information: section name:
Source: niks[1].exe.7.dr	Static PE information: section name: .idata
Source: niks[1].exe.7.dr	Static PE information: section name:
Source: AqC0xzKsd_7euDTV6SA_.exe.7.dr	Static PE information: section name:
Source: AqC0xzKsd_7euDTV6SA_.exe.7.dr	Static PE information: section name: .idata
Source: AqC0xzKsd_7euDTV6SA_.exe.7.dr	Static PE information: section name:
Source: ladas[1].exe.7.dr	Static PE information: section name:
Source: ladas[1].exe.7.dr	Static PE information: section name: .idata
Source: ladas[1].exe.7.dr	Static PE information: section name:
Source: zFHlx6IqQx3xR1F02yH2.exe.7.dr	Static PE information: section name:
Source: zFHlx6IqQx3xR1F02yH2.exe.7.dr	Static PE information: section name: .idata
Source: zFHlx6IqQx3xR1F02yH2.exe.7.dr	Static PE information: section name:
Source: amert[1].exe.7.dr	Static PE information: section name:
Source: amert[1].exe.7.dr	Static PE information: section name: .idata
Source: amert[1].exe.7.dr	Static PE information: section name:
Source: 7roqVJbvngCJVdY0TyvA.exe.7.dr	Static PE information: section name:
Source: 7roqVJbvngCJVdY0TyvA.exe.7.dr	Static PE information: section name: .idata
Source: 7roqVJbvngCJVdY0TyvA.exe.7.dr	Static PE information: section name:
Source: explorgu.exe.42.dr	Static PE information: section name:
Source: explorgu.exe.42.dr	Static PE information: section name: .idata
Source: explorgu.exe.42.dr	Static PE information: section name:

PE file has nameless sections

Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: section name:
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: section name:
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: section name:
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: section name:
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: section name:
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.6.dr	Static PE information: section name:
Source: plaza[1].exe.6.dr	Static PE information: section name:
Source: plaza[1].exe.6.dr	Static PE information: section name:
Source: plaza[1].exe.6.dr	Static PE information: section name:
Source: plaza[1].exe.6.dr	Static PE information: section name:
Source: plaza[1].exe.6.dr	Static PE information: section name:
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: section name:
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: section name:
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: section name:
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: section name:
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: section name:
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: section name:
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: section name:
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: section name:
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: section name:
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: section name:
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: section name:

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002AA400 NtQuerySystemInformation,HeapFree,RtlFreeHeap,RtlAllocateHeap,NtQuerySystemInformation,HeapFree,		6_2_002AA400
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002AA720 NtDuplicateObject,CreateThread,RtlUnicodeStringToAnsiString,TerminateThread,		6_2_002AA720

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe

File created: C:\Windows\Tasks\explorgu.job

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A4F000	0_2_00A4F000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A68070	0_2_00A68070
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A7D840	0_2_00A7D840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A76840	0_2_00A76840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A7A9A0	0_2_00A7A9A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A77900	0_2_00A77900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A6D970	0_2_00A6D970
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A822B0	0_2_00A822B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A64230	0_2_00A64230
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00B2922D	0_2_00B2922D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A6A260	0_2_00A6A260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A70390	0_2_00A70390
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A743E0	0_2_00A743E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A70B10	0_2_00A70B10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A51370	0_2_00A51370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A824F0	0_2_00A824F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00B1A450	0_2_00B1A450
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A65590	0_2_00A65590
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A8DDF0	0_2_00A8DDF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A9CDC0	0_2_00A9CDC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A50530	0_2_00A50530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A6B560	0_2_00A6B560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A93550	0_2_00A93550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A94EF0	0_2_00A94EF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A62ED0	0_2_00A62ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A80600	0_2_00A80600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A92F90	0_2_00A92F90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A97F20	0_2_00A97F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A78F30	0_2_00A78F30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00ABF0A0	0_2_00ABF0A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00ACB800	0_2_00ACB800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00AC4870	0_2_00AC4870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00ACD070	0_2_00ACD070
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A42050	0_2_00A42050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00ACD9B0	0_2_00ACD9B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A9A180	0_2_00A9A180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A5A100	0_2_00A5A100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A422C0	0_2_00A422C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00B203A0	0_2_00B203A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00B23B28	0_2_00B23B28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00AC0B10	0_2_00AC0B10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A4AB50	0_2_00A4AB50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00AB0420	0_2_00AB0420
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00AC1590	0_2_00AC1590
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A6FDC0	0_2_00A6FDC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00B2956F	0_2_00B2956F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00AD1EA0	0_2_00AD1EA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00B3CE31	0_2_00B3CE31
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A4A720	0_2_00A4A720
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002C8070	6_2_002C8070
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002D6840	6_2_002D6840
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002D7900	6_2_002D7900
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002CD970	6_2_002CD970
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002DA9A0	6_2_002DA9A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002C4230	6_2_002C4230
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002CA260	6_2_002CA260
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002D0AB0	6_2_002D0AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002AAB50	6_2_002AAB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002D0390	6_2_002D0390
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002D43E0	6_2_002D43E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0037A450	6_2_0037A450
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002CB560	6_2_002CB560
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002C5590	6_2_002C5590
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002C05E0	6_2_002C05E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002EDDF0	6_2_002EDDF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002E0600	6_2_002E0600
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002AA720	6_2_002AA720
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002D8F30	6_2_002D8F30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002F2F90	6_2_002F2F90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0032B800	6_2_0032B800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_003BE004	6_2_003BE004
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00324870	6_2_00324870
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0032D070	6_2_0032D070
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_003BE074	6_2_003BE074
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002A2050	6_2_002A2050
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0031F0A0	6_2_0031F0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002BA100	6_2_002BA100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0032D9B0	6_2_0032D9B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002A22C0	6_2_002A22C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00383B28	6_2_00383B28
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00320B10	6_2_00320B10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_003803A0	6_2_003803A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00310380	6_2_00310380
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0038956F	6_2_0038956F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00311D40	6_2_00311D40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00321590	6_2_00321590
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002CFDC0	6_2_002CFDC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00331EA0	6_2_00331EA0

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 003098D0 appears 32 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: String function: 00AA98D0 appears 36 times

Source: ladas[1].exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: IDzOFuKIaHRpmM4TfCyF.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ladas[1].exe.6.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: BzN7a4ewVcXrTgzQjQz2.exe.6.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ladas[1].exe.7.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: zFHlx6IqQx3xR1F02yH2.exe.7.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: well[1].exe.6.dr

Static PE information: No import functions for PE file found

Source: well[1].exe.6.dr

Static PE information: Data appended to the last section found

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000002.2077813674.0000000000B77000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1512235538.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1511511560.00000000057D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: profapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: netutils.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: propsys.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: edputil.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: slc.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: userenv.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sppc.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: mlang.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: dui70.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: duser.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: chartv.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Section loaded: profapi.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: acgenral.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: winmm.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: samcli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: msacm32.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: version.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: userenv.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: dwmapi.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: mpr.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: netutils.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: aclayers.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: sfc.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: wininet.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: acgenral.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: winmm.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: samcli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: msacm32.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: version.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: userenv.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: dwmapi.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: mpr.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: netutils.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: aclayers.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: sfc.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: wininet.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Section loaded: sspicli.dll

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Static PE information: Section: ZLIB complexity 0.9998239966097988
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9998239966097988
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9998239966097988
Source: plaza[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9996047247023809
Source: plaza[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9942483836206897
Source: plaza[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9925390625
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9996047247023809
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9942483836206897
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9925390625
Source: EdgeMS131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9977778495179064
Source: EdgeMS131.exe.0.dr	Static PE information: Section: kitsnogt ZLIB complexity 0.9945407323120189
Source: ladas[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9998303865131579
Source: IDzOFuKIaHRpmM4TfCyF.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9998303865131579
Source: niks[1].exe.0.dr	Static PE information: Section: edffsevf ZLIB complexity 0.9944773508752575
Source: 4sPiYiirBc4Eg8wqN443.exe.0.dr	Static PE information: Section: edffsevf ZLIB complexity 0.9944773508752575
Source: amert[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9977778495179064
Source: amert[1].exe.0.dr	Static PE information: Section: kitsnogt ZLIB complexity 0.9945407323120189
Source: dHERKKd2xGPyY5Ssqp_N.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9977778495179064
Source: dHERKKd2xGPyY5Ssqp_N.exe.0.dr	Static PE information: Section: kitsnogt ZLIB complexity 0.9945407323120189
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9977778495179064
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: Section: kitsnogt ZLIB complexity 0.9945407323120189
Source: MSIUpdaterV131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9977778495179064
Source: MSIUpdaterV131.exe.0.dr	Static PE information: Section: kitsnogt ZLIB complexity 0.9945407323120189
Source: amert[1].exe.6.dr	Static PE information: Section: ZLIB complexity 0.9977778495179064
Source: amert[1].exe.6.dr	Static PE information: Section: kitsnogt ZLIB complexity 0.9945407323120189
Source: tkp2xLI98ZeXjg0exnoU.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9977778495179064
Source: tkp2xLI98ZeXjg0exnoU.exe.6.dr	Static PE information: Section: kitsnogt ZLIB complexity 0.9945407323120189
Source: niks[1].exe.6.dr	Static PE information: Section: edffsevf ZLIB complexity 0.9944773508752575
Source: r3bD9GPTMOGYxgEqy2KG.exe.6.dr	Static PE information: Section: edffsevf ZLIB complexity 0.9944773508752575
Source: plaza[1].exe.6.dr	Static PE information: Section: ZLIB complexity 0.9996047247023809
Source: plaza[1].exe.6.dr	Static PE information: Section: ZLIB complexity 0.9942483836206897
Source: plaza[1].exe.6.dr	Static PE information: Section: ZLIB complexity 0.9925390625
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9996047247023809
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9942483836206897
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9925390625
Source: ladas[1].exe.6.dr	Static PE information: Section: ZLIB complexity 0.9998303865131579
Source: BzN7a4ewVcXrTgzQjQz2.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9998303865131579
Source: niks[1].exe.7.dr	Static PE information: Section: edffsevf ZLIB complexity 0.9944773508752575
Source: AqC0xzKsd_7euDTV6SA_.exe.7.dr	Static PE information: Section: edffsevf ZLIB complexity 0.9944773508752575
Source: plaza[1].exe.7.dr	Static PE information: Section: ZLIB complexity 0.9996047247023809
Source: plaza[1].exe.7.dr	Static PE information: Section: ZLIB complexity 0.9942483836206897
Source: plaza[1].exe.7.dr	Static PE information: Section: ZLIB complexity 0.9925390625
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9996047247023809
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9942483836206897
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9925390625
Source: ladas[1].exe.7.dr	Static PE information: Section: ZLIB complexity 0.9998303865131579
Source: zFHlx6IqQx3xR1F02yH2.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9998303865131579
Source: amert[1].exe.7.dr	Static PE information: Section: ZLIB complexity 0.9977778495179064
Source: amert[1].exe.7.dr	Static PE information: Section: kitsnogt ZLIB complexity 0.9945407323120189
Source: 7roqVJbvngCJVdY0TyvA.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9977778495179064
Source: 7roqVJbvngCJVdY0TyvA.exe.7.dr	Static PE information: Section: kitsnogt ZLIB complexity 0.9945407323120189
Source: explorgu.exe.42.dr	Static PE information: Section: ZLIB complexity 0.9977778495179064
Source: explorgu.exe.42.dr	Static PE information: Section: kitsnogt ZLIB complexity 0.9945407323120189

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: RageMP131.exe.0.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: MPGPH131.exe.0.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@183/701@0/92

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Code function: 6_2_002AAB50 CreateToolhelp32Snapshot,

6_2_002AAB50

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6652:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9372:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000002.2076238508.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1484666355.0000000005340000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1532755673.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2765452640.00000000002A1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.1533495347.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2549739564.00000000002A1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.1636124507.0000000005320000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1887520841.00000000008C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000014.00000003.1843238183.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2088902875.00000000008C1000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000002.2076238508.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1484666355.0000000005340000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1532755673.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2765452640.00000000002A1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.1533495347.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2549739564.00000000002A1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.1636124507.0000000005320000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1887520841.00000000008C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000014.00000003.1843238183.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2088902875.00000000008C1000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1591362920.0000000006607000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1588117054.0000000006639000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1637399214.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1637265731.0000000005F8C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1644578013.0000000005F7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1585474403.0000000000D81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1585683146.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1591591456.0000000000D82000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1591412975.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

ReversingLabs: Detection: 47%

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe "C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe"
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.youtube.com/
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.linkedin.com/login
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.google.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1936,i,5473178486326315563,2545621214023589303,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=1936,i,1783626661732821117,8687075592315426283,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1976,i,6856639093823868645,7335846577343969463,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1916,i,11065865018849172942,2521104990630376558,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1912,i,15615417388423881991,543541311184639790,262144 /prefetch:3
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1064 --field-trial-handle=2040,i,3936048782353792184,14433501436862568511,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=2072,i,1673978244121305096,9852326822399086703,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com --attempting-deelevation
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe "C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe"
Source: unknown	Process created: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
Source: unknown	Process created: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe "C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20230927232528 -prefsHandle 2284 -prefMapHandle 1816 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc5eb95e-32b5-4e67-b0fb-c26c990538d2} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 2000786cf10 socket
Source: unknown	Process created: C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe "C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe "C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe "C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe "C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.youtube.com/
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.linkedin.com/login
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.google.com/
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=1936,i,1783626661732821117,8687075592315426283,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1936,i,5473178486326315563,2545621214023589303,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1976,i,6856639093823868645,7335846577343969463,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1916,i,11065865018849172942,2521104990630376558,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1912,i,15615417388423881991,543541311184639790,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1064 --field-trial-handle=2040,i,3936048782353792184,14433501436862568511,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=2072,i,1673978244121305096,9852326822399086703,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20230927232528 -prefsHandle 2284 -prefMapHandle 1816 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc5eb95e-32b5-4e67-b0fb-c26c990538d2} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 2000786cf10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A66AEDC-93C3-4ACC-BA96-08F5716429F7}\InProcServer32

Source: EdgeMS131.lnk.0.dr	LNK file: ..\..\..\..\..\..\Local\Temp\EdgeMS131\EdgeMS131.exe
Source: Sheets.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Google Drive.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Static file information: File size 2399232 > 1048576

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Static PE information: Raw size of zcmtppku is bigger than: 0x100000 < 0x1b5400

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe.a40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zcmtppku:EW;kmucpvwr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zcmtppku:EW;kmucpvwr:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 6.2.MPGPH131.exe.2a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zcmtppku:EW;kmucpvwr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zcmtppku:EW;kmucpvwr:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 7.2.MPGPH131.exe.2a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zcmtppku:EW;kmucpvwr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zcmtppku:EW;kmucpvwr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 8.2.RageMP131.exe.8c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zcmtppku:EW;kmucpvwr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zcmtppku:EW;kmucpvwr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 20.2.RageMP131.exe.8c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zcmtppku:EW;kmucpvwr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zcmtppku:EW;kmucpvwr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Unpacked PE file: 42.2.dHERKKd2xGPyY5Ssqp_N.exe.dc0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kitsnogt:EW;uwuqcgqm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kitsnogt:EW;uwuqcgqm:EW;.taggant:EW;
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Unpacked PE file: 43.2.MSIUpdaterV131.exe.e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kitsnogt:EW;uwuqcgqm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kitsnogt:EW;uwuqcgqm:EW;.taggant:EW;
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Unpacked PE file: 48.2.MSIUpdaterV131.exe.e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kitsnogt:EW;uwuqcgqm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kitsnogt:EW;uwuqcgqm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Unpacked PE file: 49.2.4sPiYiirBc4Eg8wqN443.exe.e00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;edffsevf:EW;xbfgsjgd:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x2ffec6
Source: ladas[1].exe.7.dr	Static PE information: real checksum: 0x250c98 should be: 0x24c7fb
Source: amert[1].exe.0.dr	Static PE information: real checksum: 0x1d887e should be: 0x1e5fc5
Source: amert[1].exe.6.dr	Static PE information: real checksum: 0x1d887e should be: 0x1e5fc5
Source: MSIUpdaterV131.exe.0.dr	Static PE information: real checksum: 0x1d887e should be: 0x1e5fc5
Source: well[1].exe.6.dr	Static PE information: real checksum: 0x120aa8 should be: 0x50a5d
Source: plaza[1].exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x2ffec6
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Static PE information: real checksum: 0x258ce5 should be: 0x24f5ae
Source: zFHlx6IqQx3xR1F02yH2.exe.7.dr	Static PE information: real checksum: 0x250c98 should be: 0x24c7fb
Source: RageMP131.exe.0.dr	Static PE information: real checksum: 0x258ce5 should be: 0x24f5ae
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x2ffec6
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x2ffec6
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: real checksum: 0x1d887e should be: 0x1e5fc5
Source: dHERKKd2xGPyY5Ssqp_N.exe.0.dr	Static PE information: real checksum: 0x1d887e should be: 0x1e5fc5
Source: 7roqVJbvngCJVdY0TyvA.exe.7.dr	Static PE information: real checksum: 0x1d887e should be: 0x1e5fc5
Source: ladas[1].exe.6.dr	Static PE information: real checksum: 0x250c98 should be: 0x24c7fb
Source: BzN7a4ewVcXrTgzQjQz2.exe.6.dr	Static PE information: real checksum: 0x250c98 should be: 0x24c7fb
Source: tkp2xLI98ZeXjg0exnoU.exe.6.dr	Static PE information: real checksum: 0x1d887e should be: 0x1e5fc5
Source: plaza[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x2ffec6
Source: IDzOFuKIaHRpmM4TfCyF.exe.0.dr	Static PE information: real checksum: 0x250c98 should be: 0x24c7fb
Source: plaza[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x2ffec6
Source: EdgeMS131.exe.0.dr	Static PE information: real checksum: 0x1d887e should be: 0x1e5fc5
Source: explorgu.exe.42.dr	Static PE information: real checksum: 0x1d887e should be: 0x1e5fc5
Source: amert[1].exe.7.dr	Static PE information: real checksum: 0x1d887e should be: 0x1e5fc5
Source: MPGPH131.exe.0.dr	Static PE information: real checksum: 0x258ce5 should be: 0x24f5ae
Source: ladas[1].exe.0.dr	Static PE information: real checksum: 0x250c98 should be: 0x24c7fb

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Static PE information: section name: .idata
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Static PE information: section name: zcmtppku
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Static PE information: section name: kmucpvwr
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: zcmtppku
Source: RageMP131.exe.0.dr	Static PE information: section name: kmucpvwr
Source: RageMP131.exe.0.dr	Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: zcmtppku
Source: MPGPH131.exe.0.dr	Static PE information: section name: kmucpvwr
Source: MPGPH131.exe.0.dr	Static PE information: section name: .taggant
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: section name:
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: section name:
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: section name:
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: section name:
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: section name:
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: section name:
Source: EdgeMS131.exe.0.dr	Static PE information: section name:
Source: EdgeMS131.exe.0.dr	Static PE information: section name: .idata
Source: EdgeMS131.exe.0.dr	Static PE information: section name:
Source: EdgeMS131.exe.0.dr	Static PE information: section name: kitsnogt
Source: EdgeMS131.exe.0.dr	Static PE information: section name: uwuqcgqm
Source: EdgeMS131.exe.0.dr	Static PE information: section name: .taggant
Source: ladas[1].exe.0.dr	Static PE information: section name:
Source: ladas[1].exe.0.dr	Static PE information: section name: .idata
Source: ladas[1].exe.0.dr	Static PE information: section name:
Source: ladas[1].exe.0.dr	Static PE information: section name: bqhqoftp
Source: ladas[1].exe.0.dr	Static PE information: section name: grvnhumg
Source: ladas[1].exe.0.dr	Static PE information: section name: .taggant
Source: IDzOFuKIaHRpmM4TfCyF.exe.0.dr	Static PE information: section name:
Source: IDzOFuKIaHRpmM4TfCyF.exe.0.dr	Static PE information: section name: .idata
Source: IDzOFuKIaHRpmM4TfCyF.exe.0.dr	Static PE information: section name:
Source: IDzOFuKIaHRpmM4TfCyF.exe.0.dr	Static PE information: section name: bqhqoftp
Source: IDzOFuKIaHRpmM4TfCyF.exe.0.dr	Static PE information: section name: grvnhumg
Source: IDzOFuKIaHRpmM4TfCyF.exe.0.dr	Static PE information: section name: .taggant
Source: niks[1].exe.0.dr	Static PE information: section name:
Source: niks[1].exe.0.dr	Static PE information: section name: .idata
Source: niks[1].exe.0.dr	Static PE information: section name:
Source: niks[1].exe.0.dr	Static PE information: section name: edffsevf
Source: niks[1].exe.0.dr	Static PE information: section name: xbfgsjgd
Source: 4sPiYiirBc4Eg8wqN443.exe.0.dr	Static PE information: section name:
Source: 4sPiYiirBc4Eg8wqN443.exe.0.dr	Static PE information: section name: .idata
Source: 4sPiYiirBc4Eg8wqN443.exe.0.dr	Static PE information: section name:
Source: 4sPiYiirBc4Eg8wqN443.exe.0.dr	Static PE information: section name: edffsevf
Source: 4sPiYiirBc4Eg8wqN443.exe.0.dr	Static PE information: section name: xbfgsjgd
Source: amert[1].exe.0.dr	Static PE information: section name:
Source: amert[1].exe.0.dr	Static PE information: section name: .idata
Source: amert[1].exe.0.dr	Static PE information: section name:
Source: amert[1].exe.0.dr	Static PE information: section name: kitsnogt
Source: amert[1].exe.0.dr	Static PE information: section name: uwuqcgqm
Source: amert[1].exe.0.dr	Static PE information: section name: .taggant
Source: dHERKKd2xGPyY5Ssqp_N.exe.0.dr	Static PE information: section name:
Source: dHERKKd2xGPyY5Ssqp_N.exe.0.dr	Static PE information: section name: .idata
Source: dHERKKd2xGPyY5Ssqp_N.exe.0.dr	Static PE information: section name:
Source: dHERKKd2xGPyY5Ssqp_N.exe.0.dr	Static PE information: section name: kitsnogt
Source: dHERKKd2xGPyY5Ssqp_N.exe.0.dr	Static PE information: section name: uwuqcgqm
Source: dHERKKd2xGPyY5Ssqp_N.exe.0.dr	Static PE information: section name: .taggant
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name:
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name: .idata
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name:
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name: kitsnogt
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name: uwuqcgqm
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name: .taggant
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name:
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name: .idata
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name:
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name: kitsnogt
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name: uwuqcgqm
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name: .taggant
Source: amert[1].exe.6.dr	Static PE information: section name:
Source: amert[1].exe.6.dr	Static PE information: section name: .idata
Source: amert[1].exe.6.dr	Static PE information: section name:
Source: amert[1].exe.6.dr	Static PE information: section name: kitsnogt
Source: amert[1].exe.6.dr	Static PE information: section name: uwuqcgqm
Source: amert[1].exe.6.dr	Static PE information: section name: .taggant
Source: tkp2xLI98ZeXjg0exnoU.exe.6.dr	Static PE information: section name:
Source: tkp2xLI98ZeXjg0exnoU.exe.6.dr	Static PE information: section name: .idata
Source: tkp2xLI98ZeXjg0exnoU.exe.6.dr	Static PE information: section name:
Source: tkp2xLI98ZeXjg0exnoU.exe.6.dr	Static PE information: section name: kitsnogt
Source: tkp2xLI98ZeXjg0exnoU.exe.6.dr	Static PE information: section name: uwuqcgqm
Source: tkp2xLI98ZeXjg0exnoU.exe.6.dr	Static PE information: section name: .taggant
Source: niks[1].exe.6.dr	Static PE information: section name:
Source: niks[1].exe.6.dr	Static PE information: section name: .idata
Source: niks[1].exe.6.dr	Static PE information: section name:
Source: niks[1].exe.6.dr	Static PE information: section name: edffsevf
Source: niks[1].exe.6.dr	Static PE information: section name: xbfgsjgd
Source: r3bD9GPTMOGYxgEqy2KG.exe.6.dr	Static PE information: section name:
Source: r3bD9GPTMOGYxgEqy2KG.exe.6.dr	Static PE information: section name: .idata
Source: r3bD9GPTMOGYxgEqy2KG.exe.6.dr	Static PE information: section name:
Source: r3bD9GPTMOGYxgEqy2KG.exe.6.dr	Static PE information: section name: edffsevf
Source: r3bD9GPTMOGYxgEqy2KG.exe.6.dr	Static PE information: section name: xbfgsjgd
Source: plaza[1].exe.6.dr	Static PE information: section name:
Source: plaza[1].exe.6.dr	Static PE information: section name:
Source: plaza[1].exe.6.dr	Static PE information: section name:
Source: plaza[1].exe.6.dr	Static PE information: section name:
Source: plaza[1].exe.6.dr	Static PE information: section name:
Source: plaza[1].exe.6.dr	Static PE information: section name:
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: section name:
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: section name:
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: section name:
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: section name:
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: section name:
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: section name:
Source: ladas[1].exe.6.dr	Static PE information: section name:
Source: ladas[1].exe.6.dr	Static PE information: section name: .idata
Source: ladas[1].exe.6.dr	Static PE information: section name:
Source: ladas[1].exe.6.dr	Static PE information: section name: bqhqoftp
Source: ladas[1].exe.6.dr	Static PE information: section name: grvnhumg
Source: ladas[1].exe.6.dr	Static PE information: section name: .taggant
Source: BzN7a4ewVcXrTgzQjQz2.exe.6.dr	Static PE information: section name:
Source: BzN7a4ewVcXrTgzQjQz2.exe.6.dr	Static PE information: section name: .idata
Source: BzN7a4ewVcXrTgzQjQz2.exe.6.dr	Static PE information: section name:
Source: BzN7a4ewVcXrTgzQjQz2.exe.6.dr	Static PE information: section name: bqhqoftp
Source: BzN7a4ewVcXrTgzQjQz2.exe.6.dr	Static PE information: section name: grvnhumg
Source: BzN7a4ewVcXrTgzQjQz2.exe.6.dr	Static PE information: section name: .taggant
Source: niks[1].exe.7.dr	Static PE information: section name:
Source: niks[1].exe.7.dr	Static PE information: section name: .idata
Source: niks[1].exe.7.dr	Static PE information: section name:
Source: niks[1].exe.7.dr	Static PE information: section name: edffsevf
Source: niks[1].exe.7.dr	Static PE information: section name: xbfgsjgd
Source: AqC0xzKsd_7euDTV6SA_.exe.7.dr	Static PE information: section name:
Source: AqC0xzKsd_7euDTV6SA_.exe.7.dr	Static PE information: section name: .idata
Source: AqC0xzKsd_7euDTV6SA_.exe.7.dr	Static PE information: section name:
Source: AqC0xzKsd_7euDTV6SA_.exe.7.dr	Static PE information: section name: edffsevf
Source: AqC0xzKsd_7euDTV6SA_.exe.7.dr	Static PE information: section name: xbfgsjgd
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: section name:
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: section name:
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: section name:
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: section name:
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: section name:
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: section name:
Source: ladas[1].exe.7.dr	Static PE information: section name:
Source: ladas[1].exe.7.dr	Static PE information: section name: .idata
Source: ladas[1].exe.7.dr	Static PE information: section name:
Source: ladas[1].exe.7.dr	Static PE information: section name: bqhqoftp
Source: ladas[1].exe.7.dr	Static PE information: section name: grvnhumg
Source: ladas[1].exe.7.dr	Static PE information: section name: .taggant
Source: zFHlx6IqQx3xR1F02yH2.exe.7.dr	Static PE information: section name:
Source: zFHlx6IqQx3xR1F02yH2.exe.7.dr	Static PE information: section name: .idata
Source: zFHlx6IqQx3xR1F02yH2.exe.7.dr	Static PE information: section name:
Source: zFHlx6IqQx3xR1F02yH2.exe.7.dr	Static PE information: section name: bqhqoftp
Source: zFHlx6IqQx3xR1F02yH2.exe.7.dr	Static PE information: section name: grvnhumg
Source: zFHlx6IqQx3xR1F02yH2.exe.7.dr	Static PE information: section name: .taggant
Source: amert[1].exe.7.dr	Static PE information: section name:
Source: amert[1].exe.7.dr	Static PE information: section name: .idata
Source: amert[1].exe.7.dr	Static PE information: section name:
Source: amert[1].exe.7.dr	Static PE information: section name: kitsnogt
Source: amert[1].exe.7.dr	Static PE information: section name: uwuqcgqm
Source: amert[1].exe.7.dr	Static PE information: section name: .taggant
Source: 7roqVJbvngCJVdY0TyvA.exe.7.dr	Static PE information: section name:
Source: 7roqVJbvngCJVdY0TyvA.exe.7.dr	Static PE information: section name: .idata
Source: 7roqVJbvngCJVdY0TyvA.exe.7.dr	Static PE information: section name:
Source: 7roqVJbvngCJVdY0TyvA.exe.7.dr	Static PE information: section name: kitsnogt
Source: 7roqVJbvngCJVdY0TyvA.exe.7.dr	Static PE information: section name: uwuqcgqm
Source: 7roqVJbvngCJVdY0TyvA.exe.7.dr	Static PE information: section name: .taggant
Source: gmpopenh264.dll.tmp.39.dr	Static PE information: section name: .rodata
Source: explorgu.exe.42.dr	Static PE information: section name:
Source: explorgu.exe.42.dr	Static PE information: section name: .idata
Source: explorgu.exe.42.dr	Static PE information: section name:
Source: explorgu.exe.42.dr	Static PE information: section name: kitsnogt
Source: explorgu.exe.42.dr	Static PE information: section name: uwuqcgqm
Source: explorgu.exe.42.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00B1D157 push ecx; ret		0_2_00B1D16A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0037D157 push ecx; ret		6_2_0037D16A

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Static PE information: section name: entropy: 7.983941674526406
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Static PE information: section name: zcmtppku entropy: 7.91533177692051
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.983941674526406
Source: RageMP131.exe.0.dr	Static PE information: section name: zcmtppku entropy: 7.91533177692051
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.983941674526406
Source: MPGPH131.exe.0.dr	Static PE information: section name: zcmtppku entropy: 7.91533177692051
Source: plaza[1].exe.0.dr	Static PE information: section name: entropy: 7.999622342475307
Source: plaza[1].exe.0.dr	Static PE information: section name: entropy: 7.9916028767402025
Source: plaza[1].exe.0.dr	Static PE information: section name: entropy: 7.316484298298194
Source: plaza[1].exe.0.dr	Static PE information: section name: entropy: 7.981999467878961
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: section name: entropy: 7.999622342475307
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: section name: entropy: 7.9916028767402025
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: section name: entropy: 7.316484298298194
Source: 3rOLtV34Ut0fTkzynGHi.exe.0.dr	Static PE information: section name: entropy: 7.981999467878961
Source: EdgeMS131.exe.0.dr	Static PE information: section name: entropy: 7.983330876714039
Source: EdgeMS131.exe.0.dr	Static PE information: section name: kitsnogt entropy: 7.954741541462841
Source: ladas[1].exe.0.dr	Static PE information: section name: entropy: 7.980391693915322
Source: ladas[1].exe.0.dr	Static PE information: section name: bqhqoftp entropy: 7.9512710718984865
Source: IDzOFuKIaHRpmM4TfCyF.exe.0.dr	Static PE information: section name: entropy: 7.980391693915322
Source: IDzOFuKIaHRpmM4TfCyF.exe.0.dr	Static PE information: section name: bqhqoftp entropy: 7.9512710718984865
Source: niks[1].exe.0.dr	Static PE information: section name: entropy: 7.794885023152522
Source: niks[1].exe.0.dr	Static PE information: section name: edffsevf entropy: 7.95331790732843
Source: 4sPiYiirBc4Eg8wqN443.exe.0.dr	Static PE information: section name: entropy: 7.794885023152522
Source: 4sPiYiirBc4Eg8wqN443.exe.0.dr	Static PE information: section name: edffsevf entropy: 7.95331790732843
Source: amert[1].exe.0.dr	Static PE information: section name: entropy: 7.983330876714039
Source: amert[1].exe.0.dr	Static PE information: section name: kitsnogt entropy: 7.954741541462841
Source: dHERKKd2xGPyY5Ssqp_N.exe.0.dr	Static PE information: section name: entropy: 7.983330876714039
Source: dHERKKd2xGPyY5Ssqp_N.exe.0.dr	Static PE information: section name: kitsnogt entropy: 7.954741541462841
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name: entropy: 7.983330876714039
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name: kitsnogt entropy: 7.954741541462841
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name: entropy: 7.983330876714039
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name: kitsnogt entropy: 7.954741541462841
Source: amert[1].exe.6.dr	Static PE information: section name: entropy: 7.983330876714039
Source: amert[1].exe.6.dr	Static PE information: section name: kitsnogt entropy: 7.954741541462841
Source: tkp2xLI98ZeXjg0exnoU.exe.6.dr	Static PE information: section name: entropy: 7.983330876714039
Source: tkp2xLI98ZeXjg0exnoU.exe.6.dr	Static PE information: section name: kitsnogt entropy: 7.954741541462841
Source: niks[1].exe.6.dr	Static PE information: section name: entropy: 7.794885023152522
Source: niks[1].exe.6.dr	Static PE information: section name: edffsevf entropy: 7.95331790732843
Source: r3bD9GPTMOGYxgEqy2KG.exe.6.dr	Static PE information: section name: entropy: 7.794885023152522
Source: r3bD9GPTMOGYxgEqy2KG.exe.6.dr	Static PE information: section name: edffsevf entropy: 7.95331790732843
Source: plaza[1].exe.6.dr	Static PE information: section name: entropy: 7.999622342475307
Source: plaza[1].exe.6.dr	Static PE information: section name: entropy: 7.9916028767402025
Source: plaza[1].exe.6.dr	Static PE information: section name: entropy: 7.316484298298194
Source: plaza[1].exe.6.dr	Static PE information: section name: entropy: 7.981999467878961
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: section name: entropy: 7.999622342475307
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: section name: entropy: 7.9916028767402025
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: section name: entropy: 7.316484298298194
Source: HhXfzERnI4EYVEjNyANc.exe.6.dr	Static PE information: section name: entropy: 7.981999467878961
Source: ladas[1].exe.6.dr	Static PE information: section name: entropy: 7.980391693915322
Source: ladas[1].exe.6.dr	Static PE information: section name: bqhqoftp entropy: 7.9512710718984865
Source: BzN7a4ewVcXrTgzQjQz2.exe.6.dr	Static PE information: section name: entropy: 7.980391693915322
Source: BzN7a4ewVcXrTgzQjQz2.exe.6.dr	Static PE information: section name: bqhqoftp entropy: 7.9512710718984865
Source: niks[1].exe.7.dr	Static PE information: section name: entropy: 7.794885023152522
Source: niks[1].exe.7.dr	Static PE information: section name: edffsevf entropy: 7.95331790732843
Source: AqC0xzKsd_7euDTV6SA_.exe.7.dr	Static PE information: section name: entropy: 7.794885023152522
Source: AqC0xzKsd_7euDTV6SA_.exe.7.dr	Static PE information: section name: edffsevf entropy: 7.95331790732843
Source: plaza[1].exe.7.dr	Static PE information: section name: entropy: 7.999622342475307
Source: plaza[1].exe.7.dr	Static PE information: section name: entropy: 7.9916028767402025
Source: plaza[1].exe.7.dr	Static PE information: section name: entropy: 7.316484298298194
Source: plaza[1].exe.7.dr	Static PE information: section name: entropy: 7.981999467878961
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: section name: entropy: 7.999622342475307
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: section name: entropy: 7.9916028767402025
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: section name: entropy: 7.316484298298194
Source: 8PXzAAoEBuHCTzP4RBWU.exe.7.dr	Static PE information: section name: entropy: 7.981999467878961
Source: ladas[1].exe.7.dr	Static PE information: section name: entropy: 7.980391693915322
Source: ladas[1].exe.7.dr	Static PE information: section name: bqhqoftp entropy: 7.9512710718984865
Source: zFHlx6IqQx3xR1F02yH2.exe.7.dr	Static PE information: section name: entropy: 7.980391693915322
Source: zFHlx6IqQx3xR1F02yH2.exe.7.dr	Static PE information: section name: bqhqoftp entropy: 7.9512710718984865
Source: amert[1].exe.7.dr	Static PE information: section name: entropy: 7.983330876714039
Source: amert[1].exe.7.dr	Static PE information: section name: kitsnogt entropy: 7.954741541462841
Source: 7roqVJbvngCJVdY0TyvA.exe.7.dr	Static PE information: section name: entropy: 7.983330876714039
Source: 7roqVJbvngCJVdY0TyvA.exe.7.dr	Static PE information: section name: kitsnogt entropy: 7.954741541462841
Source: explorgu.exe.42.dr	Static PE information: section name: entropy: 7.983330876714039
Source: explorgu.exe.42.dr	Static PE information: section name: kitsnogt entropy: 7.954741541462841

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\6EzL3hHTS7jbM2Oz3y4V.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\amert[1].exe	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	File created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\niks[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\niks[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\AqC0xzKsd_7euDTV6SA_.exe	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidiOZ8O8BClDfN5\BzN7a4ewVcXrTgzQjQz2.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\well[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\amert[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\plaza[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\well[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\well[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidiOZ8O8BClDfN5\HhXfzERnI4EYVEjNyANc.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\7roqVJbvngCJVdY0TyvA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\Users\user\AppData\Local\Temp\EdgeMS131\EdgeMS131.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\WWQdc6vczGf1JWs0hh6W.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\fu[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\ladas[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\amert[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\niks[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\8PXzAAoEBuHCTzP4RBWU.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\IDzOFuKIaHRpmM4TfCyF.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidiOZ8O8BClDfN5\tkp2xLI98ZeXjg0exnoU.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidiOZ8O8BClDfN5\HaJpYvk8t0RJ45fl1Ifn.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\plaza[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\plaza[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\KxZFCNaRhrDevdKhe6iU.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidiOZ8O8BClDfN5\r3bD9GPTMOGYxgEqy2KG.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\3rOLtV34Ut0fTkzynGHi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ladas[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\zFHlx6IqQx3xR1F02yH2.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\fu[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\fu[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\ladas[1].exe	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe			Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV131			Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: FilemonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: RegmonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: FilemonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: FilemonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: RegmonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: FilemonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe

File created: C:\Windows\Tasks\explorgu.job

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV131	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV131	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000B8DC7D second address: 0000000000B8DC83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000B8DC83 second address: 0000000000B8DC87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D08917 second address: 0000000000D08931 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483126h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000CF25B3 second address: 0000000000CF25D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A0Ch 0x00000007 jmp 00007FCF9C692A13h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000CF25D6 second address: 0000000000CF25DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0795C second address: 0000000000D07962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D07962 second address: 0000000000D07969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D07F08 second address: 0000000000D07F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D07F0E second address: 0000000000D07F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D07F14 second address: 0000000000D07F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0807A second address: 0000000000D08084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D08084 second address: 0000000000D08092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF9C692A0Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D08092 second address: 0000000000D080A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D48311Bh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0BD59 second address: 0000000000D0BDAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCF9C692A17h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e ja 00007FCF9C692A23h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jp 00007FCF9C692A08h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0BDAA second address: 0000000000D0BDDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCF9D48311Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f jmp 00007FCF9D483120h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 pushad 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0BDDA second address: 0000000000D0BDE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0BDE3 second address: 0000000000B8DC7D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 mov dword ptr [ebp+122D1EDDh], edi 0x0000000e push dword ptr [ebp+122D0365h] 0x00000014 mov esi, eax 0x00000016 call dword ptr [ebp+122D1F15h] 0x0000001c pushad 0x0000001d pushad 0x0000001e movsx edi, bx 0x00000021 xor edx, dword ptr [ebp+122D383Eh] 0x00000027 popad 0x00000028 xor eax, eax 0x0000002a ja 00007FCF9D48311Eh 0x00000030 pushad 0x00000031 mov ecx, dword ptr [ebp+122D3B6Ah] 0x00000037 popad 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c mov dword ptr [ebp+122D2709h], edx 0x00000042 mov dword ptr [ebp+122D3A62h], eax 0x00000048 jmp 00007FCF9D483125h 0x0000004d mov esi, 0000003Ch 0x00000052 pushad 0x00000053 add edi, 5FD59547h 0x00000059 mov edx, dword ptr [ebp+122D386Eh] 0x0000005f popad 0x00000060 add esi, dword ptr [esp+24h] 0x00000064 or dword ptr [ebp+122D2709h], esi 0x0000006a lodsw 0x0000006c cmc 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 jmp 00007FCF9D483129h 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a add dword ptr [ebp+122D2709h], eax 0x00000080 nop 0x00000081 jmp 00007FCF9D483125h 0x00000086 push eax 0x00000087 push eax 0x00000088 push edx 0x00000089 jne 00007FCF9D48312Ah 0x0000008f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0C0FB second address: 0000000000D0C14B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jl 00007FCF9C692A0Ch 0x00000010 or ecx, 2627D020h 0x00000016 lea ebx, dword ptr [ebp+12451CA7h] 0x0000001c mov edx, ebx 0x0000001e push ecx 0x0000001f mov edx, dword ptr [ebp+122D3986h] 0x00000025 pop esi 0x00000026 xchg eax, ebx 0x00000027 jmp 00007FCF9C692A19h 0x0000002c push eax 0x0000002d push edi 0x0000002e jc 00007FCF9C692A0Ch 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0C1C5 second address: 0000000000D0C1D2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCF9D483116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0C1D2 second address: 0000000000D0C1E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCF9C692A06h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0C1E6 second address: 0000000000D0C1EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0C1EB second address: 0000000000D0C1F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0C1F1 second address: 0000000000D0C231 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D48311Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push edx 0x00000010 push ebx 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop ebx 0x00000014 pop edx 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007FCF9D483126h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0C231 second address: 0000000000D0C235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0C235 second address: 0000000000D0C244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007FCF9D483116h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0C244 second address: 0000000000D0C27A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop eax 0x00000007 mov edx, dword ptr [ebp+122D386Eh] 0x0000000d push 00000003h 0x0000000f push edi 0x00000010 push esi 0x00000011 add edx, dword ptr [ebp+122D385Ah] 0x00000017 pop edi 0x00000018 pop edi 0x00000019 push 00000000h 0x0000001b mov edx, dword ptr [ebp+122D1CC6h] 0x00000021 push 00000003h 0x00000023 mov dx, 8884h 0x00000027 call 00007FCF9C692A09h 0x0000002c push eax 0x0000002d push edx 0x0000002e push edi 0x0000002f pushad 0x00000030 popad 0x00000031 pop edi 0x00000032 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0C27A second address: 0000000000D0C2B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCF9D48311Fh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e js 00007FCF9D48311Eh 0x00000014 jng 00007FCF9D483118h 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jnc 00007FCF9D483116h 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0C2B0 second address: 0000000000D0C2B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0C2B6 second address: 0000000000D0C2F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483123h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e jmp 00007FCF9D483128h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 jo 00007FCF9D48311Eh 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0C2F8 second address: 0000000000D0C34B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push 00000000h 0x00000008 push ebp 0x00000009 call 00007FCF9C692A08h 0x0000000e pop ebp 0x0000000f mov dword ptr [esp+04h], ebp 0x00000013 add dword ptr [esp+04h], 00000019h 0x0000001b inc ebp 0x0000001c push ebp 0x0000001d ret 0x0000001e pop ebp 0x0000001f ret 0x00000020 mov ecx, 55C5AAD1h 0x00000025 lea ebx, dword ptr [ebp+12451CB2h] 0x0000002b mov ecx, 22E4B992h 0x00000030 mov edi, ebx 0x00000032 xchg eax, ebx 0x00000033 jl 00007FCF9C692A0Ah 0x00000039 push edi 0x0000003a pushad 0x0000003b popad 0x0000003c pop edi 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jg 00007FCF9C692A0Ch 0x00000046 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0C34B second address: 0000000000D0C351 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D0C351 second address: 0000000000D0C355 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D2B5F0 second address: 0000000000D2B5F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D2B8AF second address: 0000000000D2B8CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jmp 00007FCF9C692A18h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D2B8CE second address: 0000000000D2B8EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483128h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D2B8EE second address: 0000000000D2B8F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D2BA79 second address: 0000000000D2BA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d js 00007FCF9D483116h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D2BD3D second address: 0000000000D2BD5C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCF9C692A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FCF9C692A11h 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D2BD5C second address: 0000000000D2BD62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D2BD62 second address: 0000000000D2BD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D2BD66 second address: 0000000000D2BD6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D2BD6A second address: 0000000000D2BD70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D2BD70 second address: 0000000000D2BD7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D2C048 second address: 0000000000D2C04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D2C436 second address: 0000000000D2C453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FCF9D483126h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D2C453 second address: 0000000000D2C467 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FCF9C692A0Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D31A47 second address: 0000000000D31A4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D31A4B second address: 0000000000D31A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D31A51 second address: 0000000000D31A77 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCF9D483127h 0x00000008 jmp 00007FCF9D483121h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jl 00007FCF9D483116h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D31A77 second address: 0000000000D31A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D31A7B second address: 0000000000D31A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D31A81 second address: 0000000000D31A87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D31F2C second address: 0000000000D31F41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCF9D483120h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D31F41 second address: 0000000000D31F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCF9C692A0Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D320ED second address: 0000000000D320F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D320F3 second address: 0000000000D32101 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D32101 second address: 0000000000D32116 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jc 00007FCF9D483120h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D32116 second address: 0000000000D32127 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push edi 0x00000009 jc 00007FCF9C692A0Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D32127 second address: 0000000000D32134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D32134 second address: 0000000000D3213A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D32211 second address: 0000000000D3222C instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCF9D483116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d jng 00007FCF9D483128h 0x00000013 push eax 0x00000014 push edx 0x00000015 jno 00007FCF9D483116h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D34180 second address: 0000000000D34186 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D34186 second address: 0000000000D34190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D34190 second address: 0000000000D34196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000CFC711 second address: 0000000000CFC716 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000CFC716 second address: 0000000000CFC729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007FCF9C692A12h 0x0000000b jno 00007FCF9C692A06h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000CFC729 second address: 0000000000CFC73B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FCF9D483116h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000CFC73B second address: 0000000000CFC741 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D36CBE second address: 0000000000D36CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3B098 second address: 0000000000D3B09E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3B09E second address: 0000000000D3B0A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3B0A7 second address: 0000000000D3B0AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3B0AD second address: 0000000000D3B0B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FCF9D483116h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3B353 second address: 0000000000D3B364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jc 00007FCF9C692A12h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3B364 second address: 0000000000D3B36A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3B36A second address: 0000000000D3B372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3B372 second address: 0000000000D3B37B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3B50A second address: 0000000000D3B536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnl 00007FCF9C692A06h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FCF9C692A12h 0x00000013 popad 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007FCF9C692A06h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3B536 second address: 0000000000D3B546 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCF9D483116h 0x00000008 jg 00007FCF9D483116h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3BACC second address: 0000000000D3BAD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3BAD4 second address: 0000000000D3BADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3C3F1 second address: 0000000000D3C407 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF9C692A12h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3C407 second address: 0000000000D3C40B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3C48C second address: 0000000000D3C49F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 jc 00007FCF9C692A10h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3C49F second address: 0000000000D3C4BE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jc 00007FCF9D48311Eh 0x00000010 jns 00007FCF9D483118h 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3C874 second address: 0000000000D3C878 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3D046 second address: 0000000000D3D04C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3D0B6 second address: 0000000000D3D0DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edi 0x0000000a jmp 00007FCF9C692A0Bh 0x0000000f pop edi 0x00000010 pop eax 0x00000011 xchg eax, ebx 0x00000012 mov di, cx 0x00000015 push eax 0x00000016 jbe 00007FCF9C692A18h 0x0000001c push eax 0x0000001d push edx 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3D33C second address: 0000000000D3D341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3D341 second address: 0000000000D3D347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3D347 second address: 0000000000D3D34B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3D435 second address: 0000000000D3D43A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3D43A second address: 0000000000D3D43F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3D6E1 second address: 0000000000D3D6E7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3D6E7 second address: 0000000000D3D73C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D48311Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop eax 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FCF9D483118h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b mov esi, dword ptr [ebp+122D3982h] 0x00000031 xchg eax, ebx 0x00000032 pushad 0x00000033 push edx 0x00000034 jg 00007FCF9D483116h 0x0000003a pop edx 0x0000003b jmp 00007FCF9D48311Ah 0x00000040 popad 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 push eax 0x00000045 pop eax 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3E5DB second address: 0000000000D3E653 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FCF9C692A08h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov di, 7836h 0x00000029 push ecx 0x0000002a adc esi, 4CB81EC4h 0x00000030 pop edi 0x00000031 push 00000000h 0x00000033 mov esi, ebx 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007FCF9C692A08h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 00000017h 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 cmc 0x00000052 xchg eax, ebx 0x00000053 push ecx 0x00000054 push eax 0x00000055 push edx 0x00000056 jno 00007FCF9C692A06h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3F61B second address: 0000000000D3F61F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4011D second address: 0000000000D40121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D3FEA9 second address: 0000000000D3FEAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D40121 second address: 0000000000D40130 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCF9C692A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D40130 second address: 0000000000D40136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D42D5E second address: 0000000000D42D62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D42D62 second address: 0000000000D42DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D2352h], ebx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 xchg eax, ebx 0x00000015 pushad 0x00000016 pushad 0x00000017 jmp 00007FCF9D483123h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FCF9D483128h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D43897 second address: 0000000000D4389B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D44297 second address: 0000000000D442A6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007FCF9D483116h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D442A6 second address: 0000000000D4432E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FCF9C692A0Eh 0x0000000c nop 0x0000000d push edx 0x0000000e and edi, 3E687F9Ch 0x00000014 pop esi 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007FCF9C692A08h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007FCF9C692A08h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 0000001Ch 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d cld 0x0000004e jno 00007FCF9C692A15h 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 push ecx 0x0000005a pop ecx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4432E second address: 0000000000D44332 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D44332 second address: 0000000000D44338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D44338 second address: 0000000000D4433D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4433D second address: 0000000000D44343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D47569 second address: 0000000000D4756F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D47B37 second address: 0000000000D47B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D44066 second address: 0000000000D4406A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D48C08 second address: 0000000000D48C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FCF9C692A08h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 xor dword ptr [ebp+122D1E3Ah], esi 0x0000002b push 00000000h 0x0000002d xor ebx, dword ptr [ebp+1247517Ah] 0x00000033 push 00000000h 0x00000035 add dword ptr [ebp+1244D3CEh], ebx 0x0000003b push eax 0x0000003c pushad 0x0000003d jl 00007FCF9C692A08h 0x00000043 pushad 0x00000044 popad 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D48C5B second address: 0000000000D48C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D44B81 second address: 0000000000D44B85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4C96C second address: 0000000000D4C985 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCF9D483116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCF9D48311Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4C985 second address: 0000000000D4C9CD instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCF9C692A08h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d sub ebx, 739D609Bh 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007FCF9C692A08h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f sub edi, 00119B68h 0x00000035 push 00000000h 0x00000037 add dword ptr [ebp+122D2137h], esi 0x0000003d xchg eax, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4C9CD second address: 0000000000D4C9D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4C9D4 second address: 0000000000D4C9FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FCF9C692A06h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4C9FB second address: 0000000000D4CA05 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCF9D483116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4CA05 second address: 0000000000D4CA0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4D92F second address: 0000000000D4D933 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D49DAB second address: 0000000000D49E40 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCF9C692A08h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007FCF9C692A08h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 push dword ptr fs:[00000000h] 0x00000030 push 00000000h 0x00000032 push eax 0x00000033 call 00007FCF9C692A08h 0x00000038 pop eax 0x00000039 mov dword ptr [esp+04h], eax 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc eax 0x00000046 push eax 0x00000047 ret 0x00000048 pop eax 0x00000049 ret 0x0000004a mov edi, 3ABBEC74h 0x0000004f mov dword ptr fs:[00000000h], esp 0x00000056 mov ebx, 3702CB0Ch 0x0000005b mov eax, dword ptr [ebp+122D147Dh] 0x00000061 jmp 00007FCF9C692A10h 0x00000066 pushad 0x00000067 cmc 0x00000068 mov edi, dword ptr [ebp+122D3972h] 0x0000006e popad 0x0000006f push FFFFFFFFh 0x00000071 jnc 00007FCF9C692A08h 0x00000077 mov ebx, edx 0x00000079 push eax 0x0000007a pushad 0x0000007b push eax 0x0000007c push edx 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D49E40 second address: 0000000000D49E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4E9BF second address: 0000000000D4EA3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FCF9C692A08h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007FCF9C692A08h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 00000017h 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push ecx 0x00000046 call 00007FCF9C692A08h 0x0000004b pop ecx 0x0000004c mov dword ptr [esp+04h], ecx 0x00000050 add dword ptr [esp+04h], 00000014h 0x00000058 inc ecx 0x00000059 push ecx 0x0000005a ret 0x0000005b pop ecx 0x0000005c ret 0x0000005d mov edi, 504E293Ah 0x00000062 xchg eax, esi 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 jnl 00007FCF9C692A06h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4DB17 second address: 0000000000D4DB8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 add di, 6A43h 0x0000000e jmp 00007FCF9D483126h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a add edi, dword ptr [ebp+122D3876h] 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 mov di, 2DDCh 0x0000002b mov eax, dword ptr [ebp+122D0391h] 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007FCF9D483118h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 00000017h 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b mov ebx, dword ptr [ebp+1247515Ah] 0x00000051 push FFFFFFFFh 0x00000053 or di, D29Eh 0x00000058 nop 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4DB8C second address: 0000000000D4DB90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4DB90 second address: 0000000000D4DB96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D508DB second address: 0000000000D508E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D508E2 second address: 0000000000D5093F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FCF9D483118h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov ebx, dword ptr [ebp+122D38FEh] 0x00000028 mov di, 486Ah 0x0000002c push 00000000h 0x0000002e xor edi, 5ACB125Ah 0x00000034 push 00000000h 0x00000036 jmp 00007FCF9D483129h 0x0000003b xchg eax, esi 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D5093F second address: 0000000000D50944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D50944 second address: 0000000000D50949 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D50949 second address: 0000000000D5095A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 je 00007FCF9C692A0Eh 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D51933 second address: 0000000000D51939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D51939 second address: 0000000000D519C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jg 00007FCF9C692A08h 0x00000013 jmp 00007FCF9C692A0Ch 0x00000018 popad 0x00000019 nop 0x0000001a mov ebx, dword ptr [ebp+124752BBh] 0x00000020 mov di, si 0x00000023 push 00000000h 0x00000025 push edx 0x00000026 mov dword ptr [ebp+122D28E7h], esi 0x0000002c pop edi 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 call 00007FCF9C692A08h 0x00000037 pop edx 0x00000038 mov dword ptr [esp+04h], edx 0x0000003c add dword ptr [esp+04h], 0000001Dh 0x00000044 inc edx 0x00000045 push edx 0x00000046 ret 0x00000047 pop edx 0x00000048 ret 0x00000049 mov edi, 78A789A1h 0x0000004e xor ebx, 06475B0Fh 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 push ebx 0x00000058 jmp 00007FCF9C692A17h 0x0000005d pop ebx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D5297A second address: 0000000000D52980 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D52980 second address: 0000000000D529DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c call 00007FCF9C692A0Fh 0x00000011 pop ebx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FCF9C692A08h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e movzx edi, bx 0x00000031 push 00000000h 0x00000033 add bx, F4FDh 0x00000038 push eax 0x00000039 js 00007FCF9C692A14h 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D529DA second address: 0000000000D529DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4FB81 second address: 0000000000D4FB86 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D54A0F second address: 0000000000D54A2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483129h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D54A2C second address: 0000000000D54A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D54A32 second address: 0000000000D54AD8 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCF9D483116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FCF9D483118h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+122D3926h] 0x0000002f mov ebx, dword ptr [ebp+122D3A42h] 0x00000035 push 00000000h 0x00000037 call 00007FCF9D483125h 0x0000003c mov bx, 4852h 0x00000040 pop ebx 0x00000041 mov bx, cx 0x00000044 push 00000000h 0x00000046 push 00000000h 0x00000048 push edi 0x00000049 call 00007FCF9D483118h 0x0000004e pop edi 0x0000004f mov dword ptr [esp+04h], edi 0x00000053 add dword ptr [esp+04h], 0000001Ch 0x0000005b inc edi 0x0000005c push edi 0x0000005d ret 0x0000005e pop edi 0x0000005f ret 0x00000060 mov edi, dword ptr [ebp+122D3906h] 0x00000066 jmp 00007FCF9D48311Eh 0x0000006b xchg eax, esi 0x0000006c pushad 0x0000006d push edx 0x0000006e jl 00007FCF9D483116h 0x00000074 pop edx 0x00000075 push edi 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D54AD8 second address: 0000000000D54AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D54AE5 second address: 0000000000D54AFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483121h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D54AFA second address: 0000000000D54B00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D54B00 second address: 0000000000D54B04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D55ACC second address: 0000000000D55AD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D55AD0 second address: 0000000000D55AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D54D86 second address: 0000000000D54D8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D58E3B second address: 0000000000D58E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D58E40 second address: 0000000000D58E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D58E46 second address: 0000000000D58E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D58E4A second address: 0000000000D58E73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jg 00007FCF9C692A06h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D5BC9F second address: 0000000000D5BD07 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCF9D483118h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FCF9D483124h 0x00000010 pushad 0x00000011 jmp 00007FCF9D483126h 0x00000016 jmp 00007FCF9D483123h 0x0000001b jg 00007FCF9D483116h 0x00000021 popad 0x00000022 pushad 0x00000023 jmp 00007FCF9D483123h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D61C12 second address: 0000000000D61C1C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCF9C692A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D61C1C second address: 0000000000D61C37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCF9D483125h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D61C37 second address: 0000000000D61C3D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D614A3 second address: 0000000000D614A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D614A9 second address: 0000000000D614B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FCF9C692A0Eh 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D614B8 second address: 0000000000D614DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jmp 00007FCF9D48311Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FCF9D483120h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D61621 second address: 0000000000D6162B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCF9C692A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D617B3 second address: 0000000000D617C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FCF9D483116h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D669D8 second address: 0000000000D669DE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D6E352 second address: 0000000000D6E36E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FCF9D483125h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D6E36E second address: 0000000000D6E373 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D6D157 second address: 0000000000D6D181 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483120h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007FCF9D483122h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D6D181 second address: 0000000000D6D18E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCF9C692A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D6D9CE second address: 0000000000D6D9D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D6DC3F second address: 0000000000D6DC43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D6DC43 second address: 0000000000D6DC80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D48311Fh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push edx 0x0000000d jmp 00007FCF9D48311Ch 0x00000012 pushad 0x00000013 jmp 00007FCF9D483127h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D6E1C8 second address: 0000000000D6E1D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jl 00007FCF9C692A06h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D6E1D5 second address: 0000000000D6E1DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D6E1DA second address: 0000000000D6E1F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c jmp 00007FCF9C692A0Eh 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D6E1F9 second address: 0000000000D6E1FF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D6E1FF second address: 0000000000D6E205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D6E205 second address: 0000000000D6E209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D74236 second address: 0000000000D74253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push esi 0x0000000a jmp 00007FCF9C692A12h 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D74253 second address: 0000000000D74258 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D72B42 second address: 0000000000D72B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D72CD7 second address: 0000000000D72CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FCF9D483116h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D72F7D second address: 0000000000D72F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FCF9C692A06h 0x0000000a pop ebx 0x0000000b push edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D73404 second address: 0000000000D73408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D73408 second address: 0000000000D7340C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D7340C second address: 0000000000D73412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D73412 second address: 0000000000D73422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jl 00007FCF9C692A06h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D738B5 second address: 0000000000D738BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D738BA second address: 0000000000D738F0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCF9C692A0Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCF9C692A13h 0x00000011 jmp 00007FCF9C692A0Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D79092 second address: 0000000000D7909C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCF9D48311Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4542F second address: 0000000000D45434 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D45434 second address: 0000000000D45479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007FCF9D48311Eh 0x0000000f mov di, BA15h 0x00000013 lea eax, dword ptr [ebp+1248B1B6h] 0x00000019 pushad 0x0000001a jmp 00007FCF9D483122h 0x0000001f popad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jno 00007FCF9D48311Ch 0x00000029 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4597A second address: 0000000000B8DC7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b jmp 00007FCF9C692A11h 0x00000010 push dword ptr [ebp+122D0365h] 0x00000016 cmc 0x00000017 call dword ptr [ebp+122D1F15h] 0x0000001d pushad 0x0000001e pushad 0x0000001f movsx edi, bx 0x00000022 xor edx, dword ptr [ebp+122D383Eh] 0x00000028 popad 0x00000029 xor eax, eax 0x0000002b ja 00007FCF9C692A0Eh 0x00000031 pushad 0x00000032 mov ecx, dword ptr [ebp+122D3B6Ah] 0x00000038 popad 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d mov dword ptr [ebp+122D2709h], edx 0x00000043 mov dword ptr [ebp+122D3A62h], eax 0x00000049 jmp 00007FCF9C692A15h 0x0000004e mov esi, 0000003Ch 0x00000053 pushad 0x00000054 add edi, 5FD59547h 0x0000005a mov edx, dword ptr [ebp+122D386Eh] 0x00000060 popad 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 or dword ptr [ebp+122D2709h], esi 0x0000006b lodsw 0x0000006d cmc 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 jmp 00007FCF9C692A19h 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b add dword ptr [ebp+122D2709h], eax 0x00000081 nop 0x00000082 jmp 00007FCF9C692A15h 0x00000087 push eax 0x00000088 push eax 0x00000089 push edx 0x0000008a jne 00007FCF9C692A1Ah 0x00000090 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D45B31 second address: 0000000000D45B6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483127h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 0639056Dh 0x00000010 jmp 00007FCF9D483121h 0x00000015 push 1FD7C8C0h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D45B6E second address: 0000000000D45B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D45C6E second address: 0000000000D45C72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D45C72 second address: 0000000000D45C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D45C78 second address: 0000000000D45C7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D45C7F second address: 0000000000D45CAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], esi 0x0000000a mov edi, dword ptr [ebp+122D3B4Eh] 0x00000010 add di, E048h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FCF9C692A14h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D45DB7 second address: 0000000000D45DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D45DBB second address: 0000000000D45E03 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCF9C692A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b ja 00007FCF9C692A1Dh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 jl 00007FCF9C692A08h 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 push esi 0x00000022 pop esi 0x00000023 popad 0x00000024 popad 0x00000025 mov eax, dword ptr [eax] 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a jc 00007FCF9C692A06h 0x00000030 pop eax 0x00000031 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D45E03 second address: 0000000000D45E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D45E09 second address: 0000000000D45E0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D46016 second address: 0000000000D4601C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D463D3 second address: 0000000000D463D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D46741 second address: 0000000000D467AF instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCF9D483116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edi 0x00000014 nop 0x00000015 push esi 0x00000016 mov cx, A3C7h 0x0000001a pop ecx 0x0000001b lea eax, dword ptr [ebp+1248B1FAh] 0x00000021 push 00000000h 0x00000023 push edx 0x00000024 call 00007FCF9D483118h 0x00000029 pop edx 0x0000002a mov dword ptr [esp+04h], edx 0x0000002e add dword ptr [esp+04h], 00000019h 0x00000036 inc edx 0x00000037 push edx 0x00000038 ret 0x00000039 pop edx 0x0000003a ret 0x0000003b ja 00007FCF9D48312Dh 0x00000041 mov dx, F962h 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jnp 00007FCF9D483118h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D467AF second address: 0000000000D4681C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FCF9C692A08h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 call 00007FCF9C692A0Fh 0x0000002b xor dword ptr [ebp+12479004h], edx 0x00000031 pop edi 0x00000032 lea eax, dword ptr [ebp+1248B1B6h] 0x00000038 or dword ptr [ebp+1247517Ah], edi 0x0000003e push eax 0x0000003f pushad 0x00000040 jmp 00007FCF9C692A15h 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D4681C second address: 0000000000D46822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D46822 second address: 0000000000D1FC53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FCF9C692A08h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 call dword ptr [ebp+1244D424h] 0x00000029 pushad 0x0000002a jng 00007FCF9C692A1Bh 0x00000030 push esi 0x00000031 pop esi 0x00000032 jmp 00007FCF9C692A13h 0x00000037 push esi 0x00000038 jnc 00007FCF9C692A06h 0x0000003e push esi 0x0000003f pop esi 0x00000040 pop esi 0x00000041 push ebx 0x00000042 jmp 00007FCF9C692A0Bh 0x00000047 jmp 00007FCF9C692A14h 0x0000004c pop ebx 0x0000004d popad 0x0000004e push ecx 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D7830B second address: 0000000000D78311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D78311 second address: 0000000000D78316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D78316 second address: 0000000000D7831C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D7831C second address: 0000000000D78320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D78320 second address: 0000000000D7832A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCF9D483116h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D78602 second address: 0000000000D7860A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D7860A second address: 0000000000D7861A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FCF9D483116h 0x0000000a jg 00007FCF9D483116h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D78930 second address: 0000000000D78948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCF9C692A06h 0x0000000a jns 00007FCF9C692A0Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D78948 second address: 0000000000D7894D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D78AD6 second address: 0000000000D78AEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF9C692A13h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D78AEF second address: 0000000000D78AFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D7D866 second address: 0000000000D7D881 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D7D881 second address: 0000000000D7D8A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF9D483124h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FCF9D483116h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D7E2A9 second address: 0000000000D7E2D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007FCF9C692A0Eh 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCF9C692A16h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D7E2D8 second address: 0000000000D7E313 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 ja 00007FCF9D483149h 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FCF9D483129h 0x00000019 popad 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push edx 0x0000001e pop edx 0x0000001f js 00007FCF9D483116h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D7E447 second address: 0000000000D7E459 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D7E891 second address: 0000000000D7E895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D8683A second address: 0000000000D8684B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FCF9C692A06h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D89A33 second address: 0000000000D89A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D89A37 second address: 0000000000D89A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCF9C692A06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007FCF9C692A08h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D89A4F second address: 0000000000D89A5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FCF9D483116h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D89A5F second address: 0000000000D89A63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D8929B second address: 0000000000D892A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D892A2 second address: 0000000000D892C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF9C692A16h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007FCF9C692A06h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D8941E second address: 0000000000D89432 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCF9D483116h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FCF9D483116h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D89598 second address: 0000000000D895A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCF9C692A06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D895A2 second address: 0000000000D895A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D895A8 second address: 0000000000D895C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A18h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D935E9 second address: 0000000000D935F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D935F0 second address: 0000000000D935FA instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCF9C692A0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D935FA second address: 0000000000D93601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D93601 second address: 0000000000D9362B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FCF9C692A0Ah 0x0000000f pushad 0x00000010 jmp 00007FCF9C692A13h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D92054 second address: 0000000000D9206C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D48311Fh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D461A9 second address: 0000000000D461AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D461AF second address: 0000000000D46245 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483125h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FCF9D483125h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FCF9D483118h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c mov ebx, dword ptr [ebp+1248B1F5h] 0x00000032 push 00000000h 0x00000034 push esi 0x00000035 call 00007FCF9D483118h 0x0000003a pop esi 0x0000003b mov dword ptr [esp+04h], esi 0x0000003f add dword ptr [esp+04h], 00000018h 0x00000047 inc esi 0x00000048 push esi 0x00000049 ret 0x0000004a pop esi 0x0000004b ret 0x0000004c mov dword ptr [ebp+122D1F9Bh], ecx 0x00000052 add eax, ebx 0x00000054 mov ecx, dword ptr [ebp+122D2A0Ch] 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007FCF9D48311Dh 0x00000062 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D9336D second address: 0000000000D93371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D9600B second address: 0000000000D9600F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D9600F second address: 0000000000D96015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D96015 second address: 0000000000D96034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCF9D483129h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D96466 second address: 0000000000D9646A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D9A812 second address: 0000000000D9A826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF9D48311Fh 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D9A826 second address: 0000000000D9A82C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D9A82C second address: 0000000000D9A836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FCF9D483116h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D9A836 second address: 0000000000D9A851 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCF9C692A0Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D9A851 second address: 0000000000D9A856 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D9A10F second address: 0000000000D9A140 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FCF9C692A06h 0x00000009 jmp 00007FCF9C692A11h 0x0000000e jmp 00007FCF9C692A12h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D9A140 second address: 0000000000D9A15A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCF9D483116h 0x00000008 jbe 00007FCF9D483116h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edi 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D9A27B second address: 0000000000D9A27F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D9A27F second address: 0000000000D9A2A5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FCF9D483118h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCF9D483125h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D9A403 second address: 0000000000D9A415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF9C692A0Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000D9A415 second address: 0000000000D9A419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA2348 second address: 0000000000DA234C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA0348 second address: 0000000000DA034C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA034C second address: 0000000000DA0360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FCF9C692A06h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA0360 second address: 0000000000DA036E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D48311Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA0642 second address: 0000000000DA0682 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCF9C692A06h 0x00000008 jmp 00007FCF9C692A18h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jmp 00007FCF9C692A16h 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA0989 second address: 0000000000DA0997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA0997 second address: 0000000000DA099D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA099D second address: 0000000000DA09AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FCF9D483116h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA09AA second address: 0000000000DA09C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FCF9C692A11h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA11C8 second address: 0000000000DA11D2 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCF9D483116h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA11D2 second address: 0000000000DA11D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA1A0F second address: 0000000000DA1A14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA1A14 second address: 0000000000DA1A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA1A22 second address: 0000000000DA1A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA1A28 second address: 0000000000DA1A71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FCF9C692A19h 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 jp 00007FCF9C692A06h 0x00000018 je 00007FCF9C692A06h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 pushad 0x00000022 jmp 00007FCF9C692A0Bh 0x00000027 jc 00007FCF9C692A06h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA1D42 second address: 0000000000DA1D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA1D48 second address: 0000000000DA1D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA1D4C second address: 0000000000DA1D66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 jnl 00007FCF9D48311Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA2018 second address: 0000000000DA2042 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A15h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCF9C692A11h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA2042 second address: 0000000000DA2059 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483123h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA2059 second address: 0000000000DA206B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push ebx 0x0000000a jnc 00007FCF9C692A06h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA9138 second address: 0000000000DA9150 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FCF9D483116h 0x00000009 jmp 00007FCF9D48311Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA9150 second address: 0000000000DA915B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DA915B second address: 0000000000DA9169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jo 00007FCF9D483116h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DAD21E second address: 0000000000DAD23D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A16h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DAD23D second address: 0000000000DAD243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DAC668 second address: 0000000000DAC66E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DAC91B second address: 0000000000DAC928 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FCF9D483116h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DACAAE second address: 0000000000DACACD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A19h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DACD8A second address: 0000000000DACD91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DACD91 second address: 0000000000DACD97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB43C1 second address: 0000000000DB43C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB43C7 second address: 0000000000DB43D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jp 00007FCF9C692A06h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB43D6 second address: 0000000000DB43E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D48311Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB46CC second address: 0000000000DB46DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A0Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4819 second address: 0000000000DB4846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF9D483121h 0x00000009 jmp 00007FCF9D483128h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4846 second address: 0000000000DB4865 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCF9C692A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FCF9C692A0Dh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4A0C second address: 0000000000DB4A12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4BA9 second address: 0000000000DB4BC2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FCF9C692A0Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4BC2 second address: 0000000000DB4BD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FCF9D48311Ch 0x0000000a push eax 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4D2A second address: 0000000000DB4D2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4D2E second address: 0000000000DB4D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4D34 second address: 0000000000DB4D60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jns 00007FCF9C692A06h 0x00000009 pop eax 0x0000000a jmp 00007FCF9C692A17h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 push esi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4D60 second address: 0000000000DB4D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4D66 second address: 0000000000DB4D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 je 00007FCF9C692A06h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4D73 second address: 0000000000DB4D8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483125h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4E92 second address: 0000000000DB4E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4E9A second address: 0000000000DB4EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4EA1 second address: 0000000000DB4EB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jl 00007FCF9C692A06h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4EB4 second address: 0000000000DB4EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4EB8 second address: 0000000000DB4EE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A15h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c js 00007FCF9C692A06h 0x00000012 jo 00007FCF9C692A06h 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB4EE5 second address: 0000000000DB4EE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB5026 second address: 0000000000DB5041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FCF9C692A16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB5842 second address: 0000000000DB5848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB5F82 second address: 0000000000DB5F88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB5F88 second address: 0000000000DB5F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB3CED second address: 0000000000DB3D0C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FCF9C692A19h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB3D0C second address: 0000000000DB3D11 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DB3D11 second address: 0000000000DB3D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jne 00007FCF9C692A06h 0x0000000e je 00007FCF9C692A06h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DBDF38 second address: 0000000000DBDF5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FCF9D483129h 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DBDF5B second address: 0000000000DBDF76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FCF9C692A10h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DBE122 second address: 0000000000DBE132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jbe 00007FCF9D483116h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DBE132 second address: 0000000000DBE178 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A14h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FCF9C692A0Bh 0x00000010 pushad 0x00000011 jmp 00007FCF9C692A15h 0x00000016 jg 00007FCF9C692A06h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DBE2D4 second address: 0000000000DBE2FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D48311Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push edx 0x0000000b jmp 00007FCF9D483127h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DCC4A1 second address: 0000000000DCC4AD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DCC4AD second address: 0000000000DCC4C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jns 00007FCF9D48311Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DCC4C0 second address: 0000000000DCC4C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DCC4C6 second address: 0000000000DCC4CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DCEAC5 second address: 0000000000DCEACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DCEACB second address: 0000000000DCEAE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FCF9D483125h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DCE5ED second address: 0000000000DCE5F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DCE5F1 second address: 0000000000DCE5F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DCE5F7 second address: 0000000000DCE605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DCE605 second address: 0000000000DCE609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DCE609 second address: 0000000000DCE60D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DCE78C second address: 0000000000DCE796 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCF9D483116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DCE796 second address: 0000000000DCE79C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DCE79C second address: 0000000000DCE7AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D48311Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DD5265 second address: 0000000000DD526B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DD526B second address: 0000000000DD5270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DDCE07 second address: 0000000000DDCE0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DDCE0B second address: 0000000000DDCE1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007FCF9D483116h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DDCCA2 second address: 0000000000DDCCA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DDCCA8 second address: 0000000000DDCCAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DE56CA second address: 0000000000DE56CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DE56CE second address: 0000000000DE56D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DE5835 second address: 0000000000DE5868 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A10h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FCF9C692A12h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007FCF9C692A08h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DE5868 second address: 0000000000DE5874 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jg 00007FCF9D483116h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DE5B53 second address: 0000000000DE5B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DE613D second address: 0000000000DE6143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DE6143 second address: 0000000000DE6149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DE6149 second address: 0000000000DE616E instructions: 0x00000000 rdtsc 0x00000002 js 00007FCF9D48311Eh 0x00000008 jg 00007FCF9D483116h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FCF9D48311Eh 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DE616E second address: 0000000000DE6190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007FCF9C692A19h 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000DEA56A second address: 0000000000DEA575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E01606 second address: 0000000000E0160A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E0160A second address: 0000000000E0160E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E0E60A second address: 0000000000E0E619 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E0E619 second address: 0000000000E0E640 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FCF9D48311Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e jmp 00007FCF9D48311Ah 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 push edi 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E0E496 second address: 0000000000E0E4A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FCF9C692A06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E0E4A0 second address: 0000000000E0E4BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FCF9D483126h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E10EF0 second address: 0000000000E10EF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E10EF4 second address: 0000000000E10F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FCF9D48311Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E10F08 second address: 0000000000E10F0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E392A1 second address: 0000000000E392A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E392A5 second address: 0000000000E392AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E395CF second address: 0000000000E395E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jno 00007FCF9D483116h 0x0000000c jne 00007FCF9D483116h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E395E3 second address: 0000000000E395E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E395E9 second address: 0000000000E395EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E395EE second address: 0000000000E395F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FCF9C692A06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E395F8 second address: 0000000000E39613 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCF9D483121h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E39613 second address: 0000000000E39623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FCF9C692A06h 0x0000000a jc 00007FCF9C692A06h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E39623 second address: 0000000000E39629 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E39A6A second address: 0000000000E39A6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E39F16 second address: 0000000000E39F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E39F1A second address: 0000000000E39F24 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCF9C692A06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E39F24 second address: 0000000000E39F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FCF9D483118h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E3BB47 second address: 0000000000E3BB5D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCF9C692A06h 0x00000008 jmp 00007FCF9C692A0Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E3BB5D second address: 0000000000E3BB62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E3BB62 second address: 0000000000E3BB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF9C692A0Ch 0x00000009 jg 00007FCF9C692A06h 0x0000000f ja 00007FCF9C692A06h 0x00000015 popad 0x00000016 jmp 00007FCF9C692A0Dh 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E3BB93 second address: 0000000000E3BB99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E3BB99 second address: 0000000000E3BB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E3BB9E second address: 0000000000E3BBB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCF9D48311Bh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007FCF9D483116h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E3D2F7 second address: 0000000000E3D2FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E3FE05 second address: 0000000000E3FE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E40425 second address: 0000000000E40471 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dh, cl 0x0000000d add edx, dword ptr [ebp+122D381Ah] 0x00000013 push dword ptr [ebp+122D311Dh] 0x00000019 mov edx, dword ptr [ebp+12478FF3h] 0x0000001f call 00007FCF9C692A09h 0x00000024 je 00007FCF9C692A12h 0x0000002a jnc 00007FCF9C692A0Ch 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FCF9C692A0Fh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E40471 second address: 0000000000E4049B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D48311Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FCF9D48311Dh 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E41AC0 second address: 0000000000E41AC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E43B1D second address: 0000000000E43B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FCF9D483116h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E43B27 second address: 0000000000E43B31 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCF9C692A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E43B31 second address: 0000000000E43B3B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000000E43B3B second address: 0000000000E43B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 000000000553085B second address: 0000000005530878 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483129h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005530878 second address: 000000000553089D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCF9C692A0Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 000000000553089D second address: 00000000055308A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 00000000055308A3 second address: 00000000055308A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 00000000055308A7 second address: 00000000055308AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 00000000055705B3 second address: 00000000055705C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 00000000055705C3 second address: 00000000055705D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D48311Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dh, B9h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 00000000055705D9 second address: 00000000055705DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 00000000055705DF second address: 00000000055705F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov ecx, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 00000000055705F0 second address: 0000000005570601 instructions: 0x00000000 rdtsc 0x00000002 mov cx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov edx, 4BD8283Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005500C4B second address: 0000000005500C51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005500C51 second address: 0000000005500C91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FCF9C692A0Dh 0x00000014 or ch, FFFFFFB6h 0x00000017 jmp 00007FCF9C692A11h 0x0000001c popfd 0x0000001d mov ecx, 5B3281A7h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005500C91 second address: 0000000005500CB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 11C12BB5h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FCF9D483127h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005500CB8 second address: 0000000005500CBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005500CBE second address: 0000000005500CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005500CC2 second address: 0000000005500CE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b pushad 0x0000000c jmp 00007FCF9C692A0Dh 0x00000011 mov dh, ah 0x00000013 popad 0x00000014 push dword ptr [ebp+08h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005500CE7 second address: 0000000005500CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005500CEB second address: 0000000005500CEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005500CEF second address: 0000000005500CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005500CF5 second address: 0000000005500D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF9C692A0Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570381 second address: 00000000055703CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D48311Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FCF9D483126h 0x0000000f push eax 0x00000010 jmp 00007FCF9D48311Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FCF9D483125h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 00000000055703CB second address: 0000000005570415 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FCF9C692A0Eh 0x00000010 pop ebp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FCF9C692A0Eh 0x00000018 xor al, FFFFFFC8h 0x0000001b jmp 00007FCF9C692A0Bh 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 movzx ecx, bx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540D59 second address: 0000000005540D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540D5D second address: 0000000005540D61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540D61 second address: 0000000005540D67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540D67 second address: 0000000005540D6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540D6D second address: 0000000005540D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540D71 second address: 0000000005540D85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a movzx eax, di 0x0000000d push eax 0x0000000e push edx 0x0000000f mov edi, 38A15324h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540D85 second address: 0000000005540DCC instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 0C327D90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FCF9D483124h 0x00000012 adc si, D1D8h 0x00000017 jmp 00007FCF9D48311Bh 0x0000001c popfd 0x0000001d movzx esi, di 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FCF9D48311Eh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540DCC second address: 0000000005540E0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov bx, cx 0x0000000f pushfd 0x00000010 jmp 00007FCF9C692A10h 0x00000015 or ch, FFFFFF98h 0x00000018 jmp 00007FCF9C692A0Bh 0x0000001d popfd 0x0000001e popad 0x0000001f pop ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 mov bh, 06h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 000000000559000A second address: 0000000005590029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483124h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005590029 second address: 0000000005590046 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005590046 second address: 000000000559004C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 000000000559004C second address: 0000000005590050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005590050 second address: 0000000005590054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005590054 second address: 0000000005590097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movzx eax, di 0x0000000d pushfd 0x0000000e jmp 00007FCF9C692A11h 0x00000013 add ecx, 49B65EE6h 0x00000019 jmp 00007FCF9C692A11h 0x0000001e popfd 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov bx, 796Eh 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005590097 second address: 000000000559009D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 000000000559009D second address: 00000000055900A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 00000000055900A1 second address: 00000000055900BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D48311Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov eax, ebx 0x00000012 mov ecx, edi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 00000000055900BD second address: 00000000055900E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCF9C692A10h 0x00000009 or cl, 00000018h 0x0000000c jmp 00007FCF9C692A0Bh 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570D17 second address: 0000000005570D1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570D1B second address: 0000000005570D38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570D38 second address: 0000000005570D7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bl 0x00000005 pushfd 0x00000006 jmp 00007FCF9D483128h 0x0000000b or ah, 00000008h 0x0000000e jmp 00007FCF9D48311Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FCF9D483124h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570D7F second address: 0000000005570D85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570D85 second address: 0000000005570DCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D48311Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FCF9D48311Eh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov dx, 28E0h 0x0000001a jmp 00007FCF9D483129h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570DCA second address: 0000000005570DDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF9C692A0Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570DDA second address: 0000000005570DDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570DDE second address: 0000000005570DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e mov edi, esi 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 00000000055704A5 second address: 00000000055704C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483127h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570A08 second address: 0000000005570A2C instructions: 0x00000000 rdtsc 0x00000002 mov cx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCF9C692A19h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570A2C second address: 0000000005570A50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483121h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCF9D48311Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570A50 second address: 0000000005570A75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 mov di, 9CA0h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 call 00007FCF9C692A10h 0x00000015 pop eax 0x00000016 movsx edi, ax 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570A75 second address: 0000000005570A91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF9D483128h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570A91 second address: 0000000005570ABB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCF9C692A15h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570ABB second address: 0000000005570AC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570AC1 second address: 0000000005570AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570AC5 second address: 0000000005570BAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FCF9D483125h 0x00000012 and ch, FFFFFFC6h 0x00000015 jmp 00007FCF9D483121h 0x0000001a popfd 0x0000001b popad 0x0000001c and dword ptr [eax], 00000000h 0x0000001f pushad 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FCF9D483129h 0x00000027 add esi, 0697DFD6h 0x0000002d jmp 00007FCF9D483121h 0x00000032 popfd 0x00000033 pushfd 0x00000034 jmp 00007FCF9D483120h 0x00000039 or cx, 0DF8h 0x0000003e jmp 00007FCF9D48311Bh 0x00000043 popfd 0x00000044 popad 0x00000045 call 00007FCF9D483128h 0x0000004a mov bx, cx 0x0000004d pop eax 0x0000004e popad 0x0000004f and dword ptr [eax+04h], 00000000h 0x00000053 pushad 0x00000054 mov dh, 1Eh 0x00000056 pushfd 0x00000057 jmp 00007FCF9D483124h 0x0000005c adc ecx, 1EA372B8h 0x00000062 jmp 00007FCF9D48311Bh 0x00000067 popfd 0x00000068 popad 0x00000069 pop ebp 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e pushad 0x0000006f popad 0x00000070 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570BAA second address: 0000000005570BAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570BAE second address: 0000000005570BB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540C42 second address: 0000000005540C5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540C5D second address: 0000000005540C63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540C63 second address: 0000000005540C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540C67 second address: 0000000005540C90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D48311Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCF9D483125h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540C90 second address: 0000000005540CA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 444AC362h 0x00000008 movsx ebx, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540CA5 second address: 0000000005540CA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540CA9 second address: 0000000005540CAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540CAF second address: 0000000005540D02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCF9D48311Fh 0x00000009 and eax, 4AE8A10Eh 0x0000000f jmp 00007FCF9D483129h 0x00000014 popfd 0x00000015 mov bl, cl 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007FCF9D483123h 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540D02 second address: 0000000005540D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dh, A2h 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540D09 second address: 0000000005540D0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540D0F second address: 0000000005540D13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570E42 second address: 0000000005570EA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483126h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FCF9D483120h 0x0000000f push eax 0x00000010 jmp 00007FCF9D48311Bh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 mov cx, E4CBh 0x0000001b mov bx, si 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FCF9D483129h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570EA0 second address: 0000000005570EBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570EBC second address: 0000000005570EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570EC0 second address: 0000000005570EC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005570EC4 second address: 0000000005570ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005520903 second address: 0000000005520909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005520909 second address: 000000000552090D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 000000000552090D second address: 0000000005520923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCF9C692A0Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005520923 second address: 000000000552096A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483129h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007FCF9D48311Eh 0x00000011 mov ebp, esp 0x00000013 jmp 00007FCF9D483120h 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 000000000552096A second address: 0000000005520970 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005520970 second address: 0000000005520976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005520976 second address: 000000000552097A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005580A22 second address: 0000000005580A39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483123h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005580A39 second address: 0000000005580A63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx ecx, bx 0x00000010 mov ebx, 727C8E8Ah 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005580A63 second address: 0000000005580A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF9D483127h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005580A7E second address: 0000000005580ABF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FCF9C692A0Eh 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 call 00007FCF9C692A0Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005580ABF second address: 0000000005580AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov eax, edx 0x00000007 popad 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCF9D48311Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005580AD9 second address: 0000000005580B60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FCF9C692A0Ch 0x00000013 or ecx, 643499C8h 0x00000019 jmp 00007FCF9C692A0Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007FCF9C692A18h 0x00000025 or ax, 9C28h 0x0000002a jmp 00007FCF9C692A0Bh 0x0000002f popfd 0x00000030 popad 0x00000031 mov eax, dword ptr [775165FCh] 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FCF9C692A15h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005580B60 second address: 0000000005580B66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005580B66 second address: 0000000005580B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005580B6A second address: 0000000005580BAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483123h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d jmp 00007FCF9D483126h 0x00000012 je 00007FD00F395EE1h 0x00000018 pushad 0x00000019 movzx esi, dx 0x0000001c pushad 0x0000001d movsx edi, si 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005580BAB second address: 0000000005580C10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov ecx, eax 0x00000008 jmp 00007FCF9C692A0Eh 0x0000000d xor eax, dword ptr [ebp+08h] 0x00000010 pushad 0x00000011 mov ebx, 78737742h 0x00000016 pushfd 0x00000017 jmp 00007FCF9C692A13h 0x0000001c or ax, AE3Eh 0x00000021 jmp 00007FCF9C692A19h 0x00000026 popfd 0x00000027 popad 0x00000028 and ecx, 1Fh 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FCF9C692A0Dh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005580C10 second address: 0000000005580C54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483121h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FCF9D48311Ch 0x00000012 or ax, ED98h 0x00000017 jmp 00007FCF9D48311Bh 0x0000001c popfd 0x0000001d mov di, cx 0x00000020 popad 0x00000021 leave 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 movsx edx, ax 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005580C54 second address: 0000000005580C5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 000000000558009F second address: 00000000055800A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 00000000055800A3 second address: 00000000055800A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 00000000055800A7 second address: 00000000055800AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 00000000055800AD second address: 00000000055800B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 00000000055800B3 second address: 000000000558012C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FCF9D48311Dh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FCF9D48311Eh 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FCF9D48311Dh 0x0000001d or ah, 00000006h 0x00000020 jmp 00007FCF9D483121h 0x00000025 popfd 0x00000026 popad 0x00000027 mov eax, dword ptr [ebp+08h] 0x0000002a pushad 0x0000002b movzx eax, di 0x0000002e mov eax, edx 0x00000030 popad 0x00000031 and dword ptr [eax], 00000000h 0x00000034 jmp 00007FCF9D48311Bh 0x00000039 pop ebp 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FCF9D483120h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 000000000558012C second address: 0000000005580130 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005580130 second address: 0000000005580136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005580136 second address: 000000000558013C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 000000000558013C second address: 0000000005580140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540008 second address: 0000000005540025 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9C692A19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540025 second address: 0000000005540072 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF9D483121h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov di, cx 0x0000000e mov si, E05Fh 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 mov edi, 6E8391D6h 0x0000001a mov esi, edi 0x0000001c popad 0x0000001d xchg eax, ebp 0x0000001e pushad 0x0000001f mov dl, CEh 0x00000021 push eax 0x00000022 push edx 0x00000023 pushfd 0x00000024 jmp 00007FCF9D48311Eh 0x00000029 xor ch, FFFFFFF8h 0x0000002c jmp 00007FCF9D48311Bh 0x00000031 popfd 0x00000032 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540072 second address: 0000000005540082 instructions: 0x00000000 rdtsc 0x00000002 mov dx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop edi 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540082 second address: 0000000005540088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 0000000005540088 second address: 000000000554008C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 000000000554008C second address: 00000000055400C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FCF9D483126h 0x00000012 and si, 54B8h 0x00000017 jmp 00007FCF9D48311Bh 0x0000001c popfd 0x0000001d popad 0x0000001e xchg eax, ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	RDTSC instruction interceptor: First address: 00000000055400C8 second address: 00000000055400CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Special instruction interceptor: First address: 0000000000B8DCD7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Special instruction interceptor: First address: 0000000000B8DBEE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Special instruction interceptor: First address: 0000000000D3201C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Special instruction interceptor: First address: 0000000000D307AC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Special instruction interceptor: First address: 0000000000D58EBF instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 00000000003EDCD7 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 00000000003EDBEE instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 000000000059201C instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 00000000005907AC instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 00000000005B8EBF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 0000000000A0DCD7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 0000000000A0DBEE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 0000000000BB201C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 0000000000BB07AC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 0000000000BD8EBF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Special instruction interceptor: First address: 0000000000E2BABC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Special instruction interceptor: First address: 0000000000FD8707 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Special instruction interceptor: First address: 0000000001001B4F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Special instruction interceptor: First address: 0000000000E0D951 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Special instruction interceptor: First address: 0000000000FB94A8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Special instruction interceptor: First address: 00000000010626BD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Special instruction interceptor: First address: 000000000105060E instructions caused by: Self-modifying code
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Special instruction interceptor: First address: 000000000014BABC instructions caused by: Self-modifying code
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Special instruction interceptor: First address: 00000000002F8707 instructions caused by: Self-modifying code
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Special instruction interceptor: First address: 0000000000321B4F instructions caused by: Self-modifying code
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Special instruction interceptor: First address: 00000000003826BD instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Memory allocated: 57C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Memory allocated: 5960000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Memory allocated: 7960000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe

Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 697	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 675	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 6721	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 650	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1482
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1545
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1640
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1696
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Window / User API: threadDelayed 4335

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\ladas[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\8PXzAAoEBuHCTzP4RBWU.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\IDzOFuKIaHRpmM4TfCyF.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiOZ8O8BClDfN5\BzN7a4ewVcXrTgzQjQz2.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\well[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\plaza[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\plaza[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\plaza[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\well[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\well[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\KxZFCNaRhrDevdKhe6iU.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiOZ8O8BClDfN5\HhXfzERnI4EYVEjNyANc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\3rOLtV34Ut0fTkzynGHi.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ladas[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\zFHlx6IqQx3xR1F02yH2.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\WWQdc6vczGf1JWs0hh6W.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\ladas[1].exe	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess

graph_0-58266

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe TID: 5608	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe TID: 4920	Thread sleep count: 94 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe TID: 3528	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe TID: 4920	Thread sleep count: 78 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe TID: 5556	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1500	Thread sleep time: -46023s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4996	Thread sleep count: 697 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4996	Thread sleep time: -1394697s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7244	Thread sleep time: -52000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1644	Thread sleep count: 675 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1644	Thread sleep time: -1350675s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1464	Thread sleep count: 6721 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1464	Thread sleep time: -13448721s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3964	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3964	Thread sleep time: -74037s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1308	Thread sleep time: -40020s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1628	Thread sleep count: 676 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1628	Thread sleep time: -1352676s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2756	Thread sleep count: 650 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2756	Thread sleep time: -1300650s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4808	Thread sleep count: 206 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4808	Thread sleep time: -412206s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4788	Thread sleep count: 179 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4788	Thread sleep time: -358179s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7248	Thread sleep time: -52000s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5264	Thread sleep count: 1482 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5264	Thread sleep time: -2965482s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6896	Thread sleep count: 1545 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6896	Thread sleep time: -3091545s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6652	Thread sleep count: 1640 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6652	Thread sleep time: -3281640s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4940	Thread sleep count: 1580 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4940	Thread sleep time: -3161580s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4936	Thread sleep count: 1696 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4936	Thread sleep time: -3393696s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1836	Thread sleep count: 198 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1836	Thread sleep time: -396198s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7416	Thread sleep count: 109 > 30
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe TID: 7840	Thread sleep time: -43350s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8728	Thread sleep count: 77 > 30
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe TID: 8272	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe

Thread sleep count: Count: 4335 delay: -10

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A4C000 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,__Mtx_unlock,	0_2_00A4C000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00B1B005 recv,FindFirstFileExW,	0_2_00B1B005
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002AC000 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,__Mtx_unlock,	6_2_002AC000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0037B005 recv,FindFirstFileExW,	6_2_0037B005

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	File opened: C:\Users\user\Documents\desktop.ini

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1652691922.0000000006631000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"aad_sso_algo_state":1,"first_profile_key":"Default","msa_first_profile_key":"Default","msa_sso_algo_state":1},"signin_last_seen_version":"117.0.2045.47","signin_last_updated_time":1696493841.488773},"sentinel_creation_time":"13340967441490675","smartscreen":{"enabled":true,"pua_protection_enabled":false},"startup_boost":{"default_last_launch":true,"last_browser_open_time":"13340967441556681"},"subresource_filter":{"ruleset_version":{"checksum":2134042798,"content":"10.34.0.50","format":36}},"tab_stats":{"discards_external":0,"discards_proactive":0,"discards_urgent":0,"last_daily_sample":"13340967441401382","reloads_external":0,"reloads_urgent":0},"telemetry_client":{"cloned_install":{"user_data_dir_id":489683},"host_telclient_path":"QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxNaWNyb3NvZnRcRWRnZVxBcHBsaWNhdGlvblwxMTcuMC4yMDQ1LjQ3XHRlbGNsaWVudC5kbGw=","install_source_name":"windows","os_integration_level":5,"sample_id":31256164,"updater_version":"1.3.177.11","windows_update_applied":false},"ukm":{"persisted_logs":[]},"uninstall_metrics":{"installation_date2":"1696493841"},"updateclientdata":{"apps":{"ahmaebgpfccdhgidjaidaoojjcijckba":{"cohort":"rrf@0.15","cohortname":"","installdate":-1},"alpjnmnfbgfkmmpcfpejmmoebdndedno":{"cohort":"rrf@0.55","cohortname":"","fp":"1.8F202CFB86D1EF0B5FE116718DFEDB375BB50534A1D45F02FC95BD099FDC183F","installdate":-1,"pv":"7.0.0.0"},"cllppcmmlnkggcmljjfigkcigaajjmid":{"cohort":"rrf@0.43","cohortname":"","fp":"1.D38C6AADB3F9B92410AE822CBD205272ACA28CC7C816A444EA0B795112CF98D9","installdate":-1,"pv":"116.16385.16360.19"},"ebkkldgijmkljgglkajkjgedfnigiakk":{"cohort":"rrf@0.79","cohortname":"","fp":"1.1B2BA8FC90BA68CD057B9CAAFFC218EAD59A23E37F79192ED37D0C3A7A8BAB03","installdate":-1,"pv":"1.0.0.20"},"eeobbhfgfagbclfofmgbdfoicabjdbkn":{"cohort":"rrf@0.41","cohortname":"","fp":"1.8BFD50D350D47445B57BB1
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: MPGPH131.exe, 00000007.00000003.1964588464.0000000000D72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000$$
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ccount.microsoft.com/profileVMware20,11696494690u
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pageformVMware20,11696494690
Source: RageMP131.exe, 00000014.00000002.2099369510.0000000001412000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@mE
Source: MPGPH131.exe, 00000007.00000003.1964588464.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_49CB2D5F
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1939358806.000000000156C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1939358806.0000000001540000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CT name, value FROM autofillmain'.sqlite_masterr global passwords blocklistVMware20,11696494690
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1591362920.0000000006591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ra Change Transaction PasswordVMware20,11696494690
Source: RageMP131.exe, 00000014.00000003.1942413172.0000000001423000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: dHERKKd2xGPyY5Ssqp_N.exe, 0000002A.00000003.2027837840.0000000000942000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yu
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1607245468.0000000006631000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"aad_sso_algo_state":1,"first_profile_key":"Default","msa_first_profile_key":"Default","msa_sso_algo_state":1},"signin_last_seen_version":"117.0.2045.47","signin_last_updated_time":1696493841.488773},"sentinel_creation_time":"13340967441490675","smartscreen":{"enabled":true,"pua_protection_enabled":false},"startup_boost":{"default_last_launch":true,"last_browser_open_time":"13340967441556681"},"subresource_filter":{"ruleset_version":{"checksum":2134042798,"content":"10.34.0.50","format":36}},"tab_stats":{"discards_external":0,"discards_proactive":0,"discards_urgent":0,"last_daily_sample":"13340967441401382","reloads_external":0,"reloads_urgent":0},"telemetry_client":{"cloned_install":{"user_data_dir_id":489683},"host_telclient_path":"QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxNaWNyb3NvZnRcRWRnZVxBcHBsaWNhdGlvblwxMTcuMC4yMDQ1LjQ3XHRlbGNsaWVudC5kbGw=","install_source_name":"windows","os_integration_level":5,"sample_id":31256164,"updater_version":"1.3.177.11","windows_update_applied":false},"ukm":{"persisted_logs":[]},"uninstall_metrics":{"installation_date2":"1696493841"},"updateclientdata":{"apps":{"ahmaebgpfccdhgidjaidaoojjcijckba":{"cohort":"rrf@0.15","cohortname":"","installdate":-1},"alpjnmnfbgfkmmpcfpejmmoebdndedno":{"cohort":"rrf@0.55","cohortname":"","fp":"1.8F202CFB86D1EF0B5FE116718DFEDB375BB50534A1D45F02FC95BD099FDC183F","installdate":-1,"pv":"7.0.0.0"},"cllppcmmlnkggcmljjfigkcigaajjmid":{"cohort":"rrf@0.43","cohortname":"","fp":"1.D38C6AADB3F9B92410AE822CBD205272ACA28CC7C816A444EA0B795112CF98D9","installdate":-1,"pv":"116.16385.16360.19"},"ebkkldgijmkljgglkajkjgedfnigiakk":{"cohort":"rrf@0.79","cohortname":"","fp":"1.1B2BA8FC90BA68CD057B9CAAFFC218EAD59A23E37F79192ED37D0C3A7A8BAB03","installdate":-1,"pv":"1.0.0.20"},"eeobbhfgfagbclfofmgbdfoicabjdbkn":{"cohort":"rrf@0.41","cohortname":"","fp":"1.8BFD50D350D47445B57BB1c^
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1591362920.0000000006591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,1169649469(
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: comVMware20,11696494690o
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696494690
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696hj
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o.inVMware20,11696494690~
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eVMware20,11696494690
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000002.2078183383.0000000000D13000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2551836626.0000000000573000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.1906034356.0000000000B93000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000014.00000002.2090365340.0000000000B93000.00000040.00000001.01000000.00000006.sdmp, dHERKKd2xGPyY5Ssqp_N.exe, 0000002A.00000002.2085902115.0000000000FB4000.00000040.00000001.01000000.0000000E.sdmp, MSIUpdaterV131.exe, 0000002B.00000002.2258014604.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV131.exe, 0000002B.00000002.2099613443.00000000002D4000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: RageMP131.exe, 00000014.00000002.2099369510.0000000001412000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: RageMP131.exe, 00000014.00000003.1942413172.0000000001423000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696494690
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1607245468.0000000006643000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_49CB2D5F\U
Source: MPGPH131.exe, 00000007.00000003.1548804229.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW1{
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1591362920.0000000006591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,116964940
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1607245468.0000000006643000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&0000001lYPSsbzi2lM9kBLMDeySzGBx45nrC8zUE0MX+HUc1Q5CE+zgCCUUV9lQSeyP4OMUzP2x44dh2ptxvH8RYkyxvRqrAQbY0zDwflQLV32L/WiZ6CMDtSY0mjJDUPIbi9c1P8lGXoRlnuxakxYy2a0c=_/uMNoER/9pD2h3Kq19wy5TOobYwsP/SldTt3n0celPM=* NULL
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: formVMware20,11696494690
Source: MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}bkep=
Source: MPGPH131.exe, 00000007.00000003.1657678294.0000000005CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rootpagecomVMware20,11696494690o
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,1169649469
Source: RageMP131.exe, 00000008.00000002.1939358806.000000000156C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn-
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000002.2078183383.0000000000D13000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2551836626.0000000000573000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.1906034356.0000000000B93000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000014.00000002.2090365340.0000000000B93000.00000040.00000001.01000000.00000006.sdmp, dHERKKd2xGPyY5Ssqp_N.exe, 0000002A.00000002.2085902115.0000000000FB4000.00000040.00000001.01000000.0000000E.sdmp, MSIUpdaterV131.exe, 0000002B.00000002.2099613443.00000000002D4000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696494690
Source: MPGPH131.exe, 00000007.00000002.2560943444.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW_jd
Source: RageMP131.exe, 00000008.00000002.1939358806.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: MPGPH131.exe, 00000007.00000003.1653319486.0000000005CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r global passwords blocklistVMware20,11696494690

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Thread information set: HideFromDebugger
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Thread information set: HideFromDebugger
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe	Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Code function: 0_2_00A54AB0 mov eax, dword ptr fs:[00000030h]		0_2_00A54AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002B4AB0 mov eax, dword ptr fs:[00000030h]		6_2_002B4AB0

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe "C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe "C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe "C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.youtube.com/
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.linkedin.com/login
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.google.com/
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.2039399612.0000000006E85000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2382855663.0000000006A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2507254460.00000000063CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000002.2078183383.0000000000D13000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, 00000008.00000002.1906034356.0000000000B93000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: bNProgram Manager

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Code function: 0_2_00B1C92A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_00B1C92A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe

Registry value created: TamperProtection 0

Modifies windows update settings

Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 43.2.MSIUpdaterV131.exe.e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 48.2.MSIUpdaterV131.exe.e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.dHERKKd2xGPyY5Ssqp_N.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.2084783663.0000000000DC1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2091149221.00000000000E1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.2160160951.00000000000E1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000003.2055220279.0000000004890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.1921954403.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000003.2039950700.0000000004690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected RisePro Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\P52521B9kqdb74d8LejmrZT.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u5VRxrmyjWYJsGnPHociwt5.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\5QtvYXoJaghghg50zGLKyNk.zip, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1607804010.00000000015BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1573764748.00000000015CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty Extension
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1607804010.00000000015BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1607804010.00000000015BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1607804010.00000000015BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \MultiDoge\multidoge.wallet
Source: firefox.exe, 00000029.00000003.2024671538.000002880BFD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: OSKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\logins.json	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\signons.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\formhistory.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\LocalPrefs.json
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\places.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\cookies.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\signons.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\P52521B9kqdb74d8LejmrZT.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u5VRxrmyjWYJsGnPHociwt5.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\5QtvYXoJaghghg50zGLKyNk.zip, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	41 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Scheduled Task/Job	11 Scheduled Task/Job	2 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	121 Registry Run Keys / Startup Folder	1 Extra Window Memory Injection	4 Obfuscated Files or Information	Security Account Manager	226 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	12 Process Injection	12 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	731 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	121 Registry Run Keys / Startup Folder	2 Bypass User Account Control	Cached Domain Credentials	271 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	271 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	47%	ReversingLabs	Win32.Trojan.Zusy
SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe	100%	Joe Sandbox ML
C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	47%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\fu[1].exe	22%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\fu[1].exe	22%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ladas[1].exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\plaza[1].exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\ladas[1].exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\plaza[1].exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\well[1].exe	35%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\fu[1].exe	22%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\ladas[1].exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\plaza[1].exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\well[1].exe	35%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	47%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\6EzL3hHTS7jbM2Oz3y4V.exe	22%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\8PXzAAoEBuHCTzP4RBWU.exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\WWQdc6vczGf1JWs0hh6W.exe	35%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\heidi2JNoqCa0s9_1\zFHlx6IqQx3xR1F02yH2.exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\3rOLtV34Ut0fTkzynGHi.exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\IDzOFuKIaHRpmM4TfCyF.exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\KxZFCNaRhrDevdKhe6iU.exe	35%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe	22%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\heidiOZ8O8BClDfN5\BzN7a4ewVcXrTgzQjQz2.exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\Temp\heidiOZ8O8BClDfN5\HaJpYvk8t0RJ45fl1Ifn.exe	22%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\heidiOZ8O8BClDfN5\HhXfzERnI4EYVEjNyANc.exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.mozilla.com0	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://mail.yahoo.co.jp/compose/?To=%s	0%	URL Reputation	safe
https://www.amazon.co.uk/	0%	URL Reputation	safe
http://185.215.113.46/mine/plaza.exe0v	100%	Avira URL Cloud	malware
http://185.215.113.46/mine/plaza.exej	100%	Avira URL Cloud	malware
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Zbr4ZHZ4CDa4pbW1CbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi	0%	Avira URL Cloud	safe
http://185.215.113.46/cost/well.exemania	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/fu.exef	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/niks.exeeidi2JNoqCa0s9_1	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/ladas.exe86	100%	Avira URL Cloud	malware
http://185.215.113.46/mine/plaza.exeb	100%	Avira URL Cloud	malware
https://www.bbc.co.uk/	0%	Avira URL Cloud	safe
https://www.youtube.com(	0%	Avira URL Cloud	safe
http://r3.o.lencr.org	0%	Avira URL Cloud	safe
http://185.215.113.46/mine/plaza.exeuu	100%	Avira URL Cloud	malware
https://accounts.google.comC:	0%	Avira URL Cloud	safe
http://www.fontbureau.comTTF	0%	Avira URL Cloud	safe
http://185.215.113.46/cost/well.exe	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/fu.exe	100%	Avira URL Cloud	malware
http://185.215.113.46/	100%	Avira URL Cloud	malware
http://crl.pki.goog/gsr1/gsr1.crl0;	0%	Avira URL Cloud	safe
http://185.215.113.46/cost/ladas.exe3	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/ladas.exeA	100%	Avira URL Cloud	malware
http://185.215.113.46/mine/amert.exeg	100%	Avira URL Cloud	malware
https://www.youtube.comC:	0%	Avira URL Cloud	safe
http://185.215.113.46/mine/amert.exeS	100%	Avira URL Cloud	malware
http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0	0%	Avira URL Cloud	safe
http://185.215.113.46/mine/plaza.exenu	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/ladas.exeT	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/ladas.exeb	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/ladas.exe17_	100%	Avira URL Cloud	malware
http://185.215.113.46/mine/plaza.exe	100%	Avira URL Cloud	malware
http://pki.goog/gsr1/gsr1.crt02	0%	Avira URL Cloud	safe
http://185.215.113.46/cost/ladas.exev	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/fu.exert	100%	Avira URL Cloud	malware
http://185.215.113.46/mine/plaza.exe7	100%	Avira URL Cloud	malware
http://185.215.113.46/mine/plaza.exe6	100%	Avira URL Cloud	malware

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1577933294.0000000006588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1576093941.000000000664A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2034944261.0000000005C3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1895410445.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1646223753.0000000005E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1651595245.0000000005C48000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2061821580.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1595883527.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1642307545.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/well.exemania	RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1577933294.0000000006588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1576093941.000000000664A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2034944261.0000000005C3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1895410445.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1646223753.0000000005E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1651595245.0000000005C48000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2061821580.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1595883527.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1642307545.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Zbr4ZHZ4CDa4pbW1CbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi	firefox.exe, 00000027.00000003.2400510109.000002001F919000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000027.00000003.2560000631.000002001B2F5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://detectportal.firefox.com/	firefox.exe, 00000027.00000003.2008257223.0000020019C8E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/fu.exef	MPGPH131.exe, 00000007.00000003.2341146026.0000000005CE9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2626712828.0000000005CE9000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.mozilla.com0	firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/user-media/addon_icons/954/954390-64.png?modified=97d4c956(browserSetting	firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	false		high
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%	firefox.exe, 00000027.00000003.2546355697.000002001B98C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2511786855.0000020020E88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2461439392.00000200219F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2495701203.00000200219F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 00000027.00000003.2513312990.000002001F996000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	firefox.exe, 00000029.00000003.2674811397.000002880C48E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2668913323.000002880C48E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2647414793.000002880C48B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2689777330.000002880C48E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2692565844.000002880C48E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.comTTF	firefox.exe, 0000002E.00000003.2744790050.0000026D26D19000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2739730282.0000026D26D18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 00000027.00000003.2548874875.000002001B981000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/ladas.exe86	MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 00000027.00000003.2491387296.0000020021E48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/user-media/addon_icons/784/784287-64.png?modified=mcrushed	firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	false		high
https://screenshots.firefox.com	firefox.exe, 00000027.00000003.2240336859.00000200159A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com	firefox.exe, 00000027.00000003.2536004477.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000027.00000003.1883235512.0000020017300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888767017.000002001753A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1889124800.0000020017557000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1889563330.0000020017573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888525532.000002001751E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000027.00000003.1911985701.00000200139B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888525532.000002001751E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/	SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1661731813.0000000006643000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1650239381.0000000006643000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1652691922.0000000006643000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com	firefox.exe, 00000027.00000003.1952540052.0000020019CE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2008257223.0000020019CE1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/niks.exeeidi2JNoqCa0s9_1	MPGPH131.exe, 00000007.00000003.2341146026.0000000005CE9000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://185.215.113.46/mine/plaza.exej	MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://185.215.113.46/mine/plaza.exe0v	MPGPH131.exe, 00000007.00000003.2341146026.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 00000027.00000003.1883235512.0000020017300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888767017.000002001753A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1889124800.0000020017557000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1889563330.0000020017573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888525532.000002001751E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 00000027.00000003.2401787867.000002001BEE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2412407578.000002001BEB5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 00000027.00000003.2513312990.000002001F996000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/fu.exe	RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.46/mine/plaza.exeb	MPGPH131.exe, 00000007.00000003.2341146026.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing	firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l	firefox.exe, 00000027.00000003.2277107716.000002001AECB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/	firefox.exe, 00000027.00000003.2507147692.00000200212A6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fpn.firefox.com	firefox.exe, 00000027.00000003.2240336859.00000200159A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1577933294.0000000006588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1576093941.000000000664A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2034944261.0000000005C3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1895410445.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1646223753.0000000005E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1651595245.0000000005C48000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2061821580.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1595883527.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1642307545.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORT	RageMP131.exe, 00000008.00000002.1939358806.000000000150E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1577933294.0000000006588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1576093941.000000000664A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1895410445.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1646223753.0000000005E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1651595245.0000000005C48000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1638857933.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1608053754.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1598861889.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1638775970.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1595883527.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1637417280.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1642307545.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1597873882.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	firefox.exe, 00000027.00000003.2536004477.0000020020E4B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com(	firefox.exe, 00000022.00000002.1772637061.00000231DC0C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://MD8.mozilla.org/1/m	firefox.exe, 00000027.00000003.2553308884.000002001B8D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bbc.co.uk/	firefox.exe, 00000027.00000003.2548874875.000002001B981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.groupon.com/?utm_source=google&utm_medium=cpc&utm_campaign=us_dt_sea_ggl_txt_smp_sr_cbp_	firefox.exe, 00000027.00000003.2475549501.0000020021EF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2400510109.000002001F919000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/	RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io:443/widget/demo/81.181.57.74	RageMP131.exe, 00000014.00000002.2099369510.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.46/mine/plaza.exeuu	MPGPH131.exe, 00000007.00000003.2341146026.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://t.me/risepro_botRomaniaG2	MPGPH131.exe, 00000007.00000002.2560943444.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://accounts.google.comC:	jQVZ0AI5Ls1YopKhCBc3.exe, 0000000B.00000002.2765450458.00000000001F0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.1816315056.000001CAC95D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/	firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/well.exe	RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.iqiyi.com/	firefox.exe, 00000027.00000003.2548874875.000002001B981000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r3.o.lencr.org	firefox.exe, 00000027.00000003.2513312990.000002001F9A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2515159317.000002001F924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2535743839.0000020020E99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2538696647.000002001F924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2537031544.000002001F9A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2511786855.0000020020E99000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/gsr1/gsr1.crl0;	firefox.exe, 00000027.00000003.2542777005.000002001BCCA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.46/mine/amert.exeg	MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.46/cost/ladas.exeA	MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/ladas.exe3	MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.youtube.comC:	firefox.exe, 00000022.00000002.1772637061.00000231DC0C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.46/mine/amert.exeS	RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0	firefox.exe, 00000027.00000003.2515159317.000002001F924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2538696647.000002001F924000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000027.00000003.2278677697.000002001A854000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2355399254.00000200176F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1901938072.00000200176C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2094149182.00000200176EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1905616144.00000200176AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2278677697.000002001A883000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2214423557.000002001A89A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2345662599.00000200176A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2026712725.00000200176AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1905616144.00000200176C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2094149182.00000200176DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2549293313.000002001B937000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2077496755.0000020017691000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2298448290.000002001739A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1905553662.00000200176F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1899966098.00000200176D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2024819623.00000200176EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1899211633.00000200176D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2281683178.0000020019DC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1993999431.000002001A883000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1991165924.000002001A8AD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	firefox.exe, 00000027.00000003.2559211831.000002001B820000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1989729068.000002001A8E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 00000027.00000003.2559211831.000002001B820000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1989729068.000002001A8E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	firefox.exe, 00000027.00000003.2520526652.000002001F600000.00000004.00000800.00020000.00000000.sdmp	false		high
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 00000027.00000003.2401787867.000002001BEE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2412407578.000002001BEB5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	firefox.exe, 00000027.00000003.2507147692.0000020021289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2545471085.000002001BC3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2531685400.0000020021289000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 00000027.00000003.2507147692.0000020021289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2545471085.000002001BC3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2531685400.0000020021289000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.46/cost/ladas.exeb	MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 00000027.00000003.2549293313.000002001B937000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/ladas.exeT	MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/mine/plaza.exenu	RageMP131.exe, 00000008.00000002.1939358806.000000000156C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.46/mine/plaza.exe	RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2047286420.0000020016D30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1893048353.0000020016D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2288146106.0000020016D26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2271612586.0000020016D2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/ladas.exe17_	MPGPH131.exe, 00000006.00000003.2735773869.00000000061A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2047286420.0000020016D30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1893048353.0000020016D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2288146106.0000020016D26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2271612586.0000020016D2B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.youtube.com	firefox.exe, 00000027.00000003.2447950789.0000020017D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 00000027.00000003.2475549501.0000020021EF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2397596405.0000020021EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2400510109.000002001F919000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1577933294.0000000006588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1576093941.000000000664A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2034944261.0000000005C3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1895410445.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1646223753.0000000005E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1651595245.0000000005C48000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2061821580.0000000005C4E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1595883527.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1642307545.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.co.uk/	firefox.exe, 00000027.00000003.2548874875.000002001B981000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 00000027.00000003.1888525532.000002001751E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search	firefox.exe, 00000027.00000003.1911985701.00000200139B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1888525532.000002001751E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgThi	firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/ladas.exev	SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1950118970.0000000006643000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.46/cost/ladas.exet	MPGPH131.exe, 00000006.00000003.2735491573.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://json-schema.org/draft-07/schema#-	firefox.exe, 00000027.00000003.2513312990.000002001F996000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pki.goog/gsr1/gsr1.crt02	firefox.exe, 00000027.00000003.2542777005.000002001BCCA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.wykop.pl/	firefox.exe, 00000027.00000003.2552897577.000002001B906000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/fu.exert	SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1650239381.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1661731813.0000000006631000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe, 00000000.00000003.1652691922.0000000006631000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://twitter.com/	firefox.exe, 00000027.00000003.2507147692.00000200212A6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.olx.pl/	firefox.exe, 00000027.00000003.2552897577.000002001B906000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2548874875.000002001B981000.00000004.00000800.00020000.00000000.sdmp	false		high
https://accounts.google.com/https://accounts.google.com/	firefox.exe, 00000027.00000003.2447868408.0000020017D94000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/mine/plaza.exe6	MPGPH131.exe, 00000007.00000003.2341146026.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.46/mine/plaza.exe7	MPGPH131.exe, 00000006.00000003.2735491573.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2608514599.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture	firefox.exe, 00000027.00000003.1987471324.000002001B39E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/risepro_bot	RageMP131.exe, 00000014.00000002.2099369510.0000000001441000.00000004.00000020.00020000.00000000.sdmp	false		high
https://poczta.interia.pl/mh/?mailto=%s	firefox.exe, 00000027.00000003.2240336859.0000020015989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2047286420.0000020016D30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.1893048353.0000020016D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2288146106.0000020016D26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2271612586.0000020016D2B000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
74.125.138.113	unknown	United States	15169	GOOGLEUS	false
13.107.6.158	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.200	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.215.113.46	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
172.253.124.106	unknown	United States	15169	GOOGLEUS	false
173.194.53.40	unknown	United States	15169	GOOGLEUS	false
172.217.133.10	unknown	United States	15169	GOOGLEUS	false
173.194.219.94	unknown	United States	15169	GOOGLEUS	false
173.194.143.137	unknown	United States	15169	GOOGLEUS	false
34.117.237.239	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
173.194.219.154	unknown	United States	15169	GOOGLEUS	false
18.173.166.77	unknown	United States	3	MIT-GATEWAYSUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
173.194.7.10	unknown	United States	15169	GOOGLEUS	false
13.107.213.41	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.71.99.188	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.239	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
31.13.88.13	unknown	Ireland	32934	FACEBOOKUS	false
74.125.138.94	unknown	United States	15169	GOOGLEUS	false
18.160.60.4	unknown	United States	3	MIT-GATEWAYSUS	false
34.120.208.123	unknown	United States	15169	GOOGLEUS	false
34.120.115.102	unknown	United States	15169	GOOGLEUS	false
64.233.177.95	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
74.125.138.149	unknown	United States	15169	GOOGLEUS	false
172.253.124.132	unknown	United States	15169	GOOGLEUS	false
64.233.176.84	unknown	United States	15169	GOOGLEUS	false
172.217.215.136	unknown	United States	15169	GOOGLEUS	false
13.107.21.239	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.10.159.154	unknown	United States	16509	AMAZON-02US	false
34.120.158.37	unknown	United States	15169	GOOGLEUS	false
31.13.66.19	unknown	Ireland	32934	FACEBOOKUS	false
173.194.219.104	unknown	United States	15169	GOOGLEUS	false
173.194.219.147	unknown	United States	15169	GOOGLEUS	false
13.107.42.16	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.42.14	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.88.206.205	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
108.177.122.94	unknown	United States	15169	GOOGLEUS	false
34.160.144.191	unknown	United States	2686	ATGS-MMD-ASUS	false
142.251.15.119	unknown	United States	15169	GOOGLEUS	false
108.177.122.95	unknown	United States	15169	GOOGLEUS	false
74.125.138.101	unknown	United States	15169	GOOGLEUS	false
64.233.185.147	unknown	United States	15169	GOOGLEUS	false
74.125.1.166	unknown	United States	15169	GOOGLEUS	false
34.117.186.192	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
31.13.65.36	unknown	Ireland	32934	FACEBOOKUS	false
172.217.135.201	unknown	United States	15169	GOOGLEUS	false
64.233.176.94	unknown	United States	15169	GOOGLEUS	false
152.195.19.97	unknown	United States	15133	EDGECASTUS	false
13.107.21.200	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.105.154	unknown	United States	15169	GOOGLEUS	false
34.117.188.166	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
172.217.135.170	unknown	United States	15169	GOOGLEUS	false
64.233.177.113	unknown	United States	15169	GOOGLEUS	false
172.217.215.93	unknown	United States	15169	GOOGLEUS	false
142.250.9.95	unknown	United States	15169	GOOGLEUS	false
64.233.185.119	unknown	United States	15169	GOOGLEUS	false
108.177.122.84	unknown	United States	15169	GOOGLEUS	false
31.13.88.35	unknown	Ireland	32934	FACEBOOKUS	false
142.250.9.113	unknown	United States	15169	GOOGLEUS	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
172.217.215.95	unknown	United States	15169	GOOGLEUS	false
23.209.36.201	unknown	United States	20940	AKAMAI-ASN1EU	false
74.125.136.94	unknown	United States	15169	GOOGLEUS	false
172.217.215.113	unknown	United States	15169	GOOGLEUS	false
142.250.105.94	unknown	United States	15169	GOOGLEUS	false
74.125.136.95	unknown	United States	15169	GOOGLEUS	false
142.250.105.95	unknown	United States	15169	GOOGLEUS	false
104.76.210.77	unknown	United States	6762	SEABONE-NETTELECOMITALIASPARKLESpAIT	false
172.253.124.119	unknown	United States	15169	GOOGLEUS	false
34.149.100.209	unknown	United States	2686	ATGS-MMD-ASUS	false
172.253.124.91	unknown	United States	15169	GOOGLEUS	false
34.107.243.93	unknown	United States	15169	GOOGLEUS	false
193.233.132.62	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
142.250.105.149	unknown	United States	15169	GOOGLEUS	false
31.13.65.7	unknown	Ireland	32934	FACEBOOKUS	false
34.107.221.82	unknown	United States	15169	GOOGLEUS	false
172.253.124.95	unknown	United States	15169	GOOGLEUS	false
35.244.181.201	unknown	United States	15169	GOOGLEUS	false
23.34.82.79	unknown	United States	25019	SAUDINETSTC-ASSA	false
64.233.185.93	unknown	United States	15169	GOOGLEUS	false
74.125.155.166	unknown	United States	15169	GOOGLEUS	false
142.251.15.84	unknown	United States	15169	GOOGLEUS	false
64.233.185.95	unknown	United States	15169	GOOGLEUS	false
52.12.189.203	unknown	United States	16509	AMAZON-02US	false
23.101.168.44	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.9.102	unknown	United States	15169	GOOGLEUS	false
74.125.136.132	unknown	United States	15169	GOOGLEUS	false
172.217.215.84	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.8
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1391082
Start date and time:	2024-02-12 20:38:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	56
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@183/701@0/92
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Simulations

Behavior and APIs

Time	Type	Description
20:39:22	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
20:39:22	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
20:39:22	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
20:39:30	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
20:39:45	Task Scheduler	Run new task: MSIUpdaterV131 HR path: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
20:39:47	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV131 C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe
20:39:52	API Interceptor	140x Sleep call for process: SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe modified
20:39:53	Task Scheduler	Run new task: MSIUpdaterV131 LG path: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
20:40:00	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV131 C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe
20:40:09	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk
20:40:12	Task Scheduler	Run new task: explorgu path: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
20:40:17	API Interceptor	8x Sleep call for process: RageMP131.exe modified
20:40:18	API Interceptor	370717x Sleep call for process: MPGPH131.exe modified
20:41:07	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.6.158	SecuriteInfo.com.Win32.TrojanX-gen.9879.13379.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	nS2c7RHyiV.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	osvpYbj9SC.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	fmoxN12Pdb.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	6l2HJTG7zd.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	INV-0484 #U00a323,950.00.html	Get hash	malicious	HTMLPhisher	Browse
	5Jrztt780M.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
204.79.197.200	kr.ps1	Get hash	malicious	Unknown	Browse	/
185.215.113.46	SecuriteInfo.com.Trojan.Siggen26.6766.21437.6924.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46/cost/well.exe
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46/cost/well.exe
	1cfxwHmB63.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine, RisePro Stealer, Xmrig	Browse	185.215.113.46/cost/fu.exe
	8vPg8GbGtV.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46/cost/ladas.exe
	file.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse	185.215.113.46/cost/ladas.exe
	Bbd9GbGTz6.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Xmrig	Browse	185.215.113.46/cost/fu.exe
	file.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46/cost/ladas.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://www.flipsnack.com/FADA7B77C6F/new-flipbook/full-view.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	Rendel#U00e9s_(PO5042208)_Az Idumont.hta	Get hash	malicious	AgentTesla	Browse	13.107.139.11
	8BCwJHxXOp.elf	Get hash	malicious	Mirai	Browse	157.55.40.171
	qBS5fx5Cgi.elf	Get hash	malicious	Mirai	Browse	20.203.135.90
	https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbU1CcXZZMzBCNGF5bWp3dml0VXZWYzE1NjI4d3xBQ3Jtc0trTnp1VG8zTHl0MzdqYTFKSjcxOVhScGo2YS1RNzk3cmk4ZWhlWDYzSzN6dEFkRDRNZnpyVUszU2Fyd1g3OWItdWdMT09XT1ctNl9LdXVBWE5MY2ZWYjRSSEszOHMzanNETWJUbnQydV9uNjlkWDdjVQ&q=http%3A%2F%2Fkilox.online/Bigge/Bigge/Bigge#Mcarden@Bigge.Com##	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	13.107.246.35
	SecuriteInfo.com.Win32.TrojanX-gen.9879.13379.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	13.107.21.200
	http://picasa.en.softonic.com	Get hash	malicious	Unknown	Browse	13.107.42.14
	https://www.pcerror-fix.com/application-was-unable-to-start-correctly-0xc0000142	Get hash	malicious	Unknown	Browse	20.121.111.193
	https://rtcdk.canopusacrux.top	Get hash	malicious	Unknown	Browse	13.107.213.41
	file.exe	Get hash	malicious	Unknown	Browse	13.107.22.239
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://www.flipsnack.com/FADA7B77C6F/new-flipbook/full-view.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	Rendel#U00e9s_(PO5042208)_Az Idumont.hta	Get hash	malicious	AgentTesla	Browse	13.107.139.11
	8BCwJHxXOp.elf	Get hash	malicious	Mirai	Browse	157.55.40.171
	qBS5fx5Cgi.elf	Get hash	malicious	Mirai	Browse	20.203.135.90
	https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbU1CcXZZMzBCNGF5bWp3dml0VXZWYzE1NjI4d3xBQ3Jtc0trTnp1VG8zTHl0MzdqYTFKSjcxOVhScGo2YS1RNzk3cmk4ZWhlWDYzSzN6dEFkRDRNZnpyVUszU2Fyd1g3OWItdWdMT09XT1ctNl9LdXVBWE5MY2ZWYjRSSEszOHMzanNETWJUbnQydV9uNjlkWDdjVQ&q=http%3A%2F%2Fkilox.online/Bigge/Bigge/Bigge#Mcarden@Bigge.Com##	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	13.107.246.35
	SecuriteInfo.com.Win32.TrojanX-gen.9879.13379.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	13.107.21.200
	http://picasa.en.softonic.com	Get hash	malicious	Unknown	Browse	13.107.42.14
	https://www.pcerror-fix.com/application-was-unable-to-start-correctly-0xc0000142	Get hash	malicious	Unknown	Browse	20.121.111.193
	https://rtcdk.canopusacrux.top	Get hash	malicious	Unknown	Browse	13.107.213.41
	file.exe	Get hash	malicious	Unknown	Browse	13.107.22.239
WHOLESALECONNECTIONSNL	SecuriteInfo.com.Trojan.Siggen26.6766.21437.6924.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46
	SecuriteInfo.com.Win32.TrojanX-gen.9879.13379.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46
	nS2c7RHyiV.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46
	iNuBKlGmrE.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46
	osvpYbj9SC.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46
	1cfxwHmB63.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine, RisePro Stealer, Xmrig	Browse	185.215.113.32
	fmoxN12Pdb.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46
	8vPg8GbGtV.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2399232
Entropy (8bit):	7.932723171864367
Encrypted:	false
SSDEEP:	49152:AtNjudw+TeIsz5y48CU+1VvWlLt0YiO7N+9k/tm5lxMTGiR9X:XCTy48CU+1VIJ0XO8uVm5/uGiH
MD5:	11A2A91D1B8C9B3B0784D70A78F2DA6F
SHA1:	5ECB42524C51DEA5E2377419F77C25ED8FEDF0B2
SHA-256:	A57A3B08BFB8AEC37A412A829BAF276CE0DD2782927CCC925F4509C97680EA73
SHA-512:	5D29BCA16E2733DEA93D571783561CBCF229C908D104EEB3F2080D59141F945534E76A9C4EE4046D91DC62F68E47902625F4215EA782F4BD9D4B0E41B7177E78
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......C.........L.....L.....L.....H.G...H.....H.....H...R.L.....L.....L...............E.....-........Rich..................PE..L......e...............".....,.......@\...........@..........................p\......%...@.................................T...h....p.............................................................................................................. . .`..........................@....rsrc........p... ..................@....idata ............................@... .0,.......... ..............@...zcmtppku.`....@..T..."..............@...kmucpvwr.....0\......v$.............@....taggant.0...@\.."...z$.............@...........................................................................................................................................................................................

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8114
Entropy (8bit):	5.183514127361925
Encrypted:	false
SSDEEP:	192:w99wMisuBcbhbVbTbfbRbObtbyEl7n3rwJA6unSrDtTkdmS73h:w9bMcNhnzFSJXrj1nSrDhkdmY
MD5:	26891801F28325B7EAA350F28F514AFB
SHA1:	03F32A5942F33BB8BF7853030AB33ACEE645B03F
SHA-256:	84163580E02A1C004B5588A76214C80E0E3606B110AA220DD6DD180ADC6A7A81
SHA-512:	8D183FA464029ADD54B17C1BFB3F5BCFAE7281EEF2ABEF5796B056956C1076BC3033BB28BDD2A14D4EC12AD40A258C3CB478866766BD676B0E6AC9BD57E6E946
Malicious:	false
Preview:	{"type":"uninstall","id":"6f0e6065-626d-4198-b354-c97b95febe98","creationDate":"2024-02-12T21:39:17.652Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"965729a8-84e4-4cad-a75d-ac8181902c4b","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	45610
Entropy (8bit):	6.092356796832418
Encrypted:	false
SSDEEP:	768:73DXzgWPsj/qlGJqIY8GB4xXOmkLmZ1uEK3D0bKuKwWE7RTupzKscDX//NPC1oV:73/Ps+wsI7yOXZdKoRTuiVIoV
MD5:	3FAE48457418D4F6EB585DE83075C34B
SHA1:	FB68505F0677B2D3CE963F21E4E62DCA2E2E1265
SHA-256:	57577FC8E87BF77A064BEA31FBD9EA86326EE4AA715F1A9C9D806D2D2ACBBF75
SHA-512:	0074F63235828E9F4A83700B1BC9EE2822CDE8470306E71D89BFD39BC7F886E00B2145FFFF49672BC3EAF084AC61B8AB4A00E88EC2A0184A359821B79D89AD2B
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"A3A9D6F712BAB0D71355FF768606492CF4B47907F29FF0D0314BDAA720054D66\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"desktop_session_duration_tracker":{"last_session_end_timestamp":"1707766791"},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0V

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Feb 12 18:39:42 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.980726912749521
Encrypted:	false
SSDEEP:	48:8Jrnw0dvOTPKAR7HCUidAKZdA1oehwiZUklqeh9y+3:8Jzw8OL5Rgey
MD5:	84FE0C8A4DF55C94F673DB7AF43DB868
SHA1:	E2C7AC6C1B6A1AF8DBCBB1C07BA48A2B0FD9052F
SHA-256:	240E0EC7C892DD0AB49A9C8B689719390973995D2549ED36B8BF2FA2BCDB6C91
SHA-512:	A2FD21DE76E815A31907A87E246DCA3586DACBA19578EDF190180016A38541D60F2B162D5333D5DA3A7DC56DACC807E80B087F3CC559E68627316A87860B39EE
Malicious:	false
Preview:	L..................F.@.. ...$+.,......r9.]..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.ILX.....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VLX.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VLX.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VLX............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VLX.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..........._-.I.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Entrypoint:	0x9c4000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65C5D990 [Fri Feb 9 07:51:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x149054	0x68	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x137000	0x110a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1491f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x136000	0x8ee00	7f8d309782d823561306736c232d6994	False	0.9998239966097988	data	7.983941674526406	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x137000	0x110a0	0x2000	53499c5ffc61fd429c552aa9f51dea5d	False	0.982421875	data	7.9038550366875375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x149000	0x1000	0x200	588e00183b8b4dbb8c7106492f04143d	False	0.14453125	data	0.9824704719748909	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x14a000	0x2c3000	0x200	32d7ca5c2ed36ce49a94991fdfc04f73	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
zcmtppku	0x40d000	0x1b6000	0x1b5400	30f41c4f3dd37c90e21927f27fdf82a8	False	0.9605449765937679	big endian ispell hash file (?),	7.91533177692051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
kmucpvwr	0x5c3000	0x1000	0x400	3f55af0f071958319dfbac65dec4cf35	False	0.8134765625	data	6.293430964816731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x5c4000	0x3000	0x2200	d55106a9c44fb97b5ef882f9739d3fc7	False	0.059857536764705885	DOS executable (COM)	0.8087908507968429	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5b13a8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m	Russian	Russia	0.10367620962971726
RT_GROUP_ICON	0x5c1bd0	0x14	data	Russian	Russia	1.15
RT_VERSION	0x5c1be4	0x2b4	data	Russian	Russia	0.48121387283236994
RT_MANIFEST	0x5c1e98	0x2e6	XML 1.0 document, ASCII text, with CRLF line terminators			0.45417789757412397
RT_MANIFEST	0x5c217e	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Target ID:	0
Start time:	20:39:17
Start date:	12/02/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe
Imagebase:	0xa40000
File size:	2'399'232 bytes
MD5 hash:	11A2A91D1B8C9B3B0784D70A78F2DA6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	11
Start time:	20:39:37
Start date:	12/02/2024
Path:	C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\jQVZ0AI5Ls1YopKhCBc3.exe"
Imagebase:	0x870000
File size:	917'504 bytes
MD5 hash:	67B659FCDDF2F8C738A12D6E482A076B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 22%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	13
Start time:	20:39:38
Start date:	12/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.linkedin.com/login
Imagebase:	0x7ff678760000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	19
Start time:	20:39:39
Start date:	12/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1976,i,6856639093823868645,7335846577343969463,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff678760000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	20
Start time:	20:39:40
Start date:	12/02/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x8c0000
File size:	2'399'232 bytes
MD5 hash:	11A2A91D1B8C9B3B0784D70A78F2DA6F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	23
Start time:	20:39:41
Start date:	12/02/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	26
Start time:	20:39:42
Start date:	12/02/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1912,i,15615417388423881991,543541311184639790,262144 /prefetch:3
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	30
Start time:	20:39:43
Start date:	12/02/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	35
Start time:	20:39:44
Start date:	12/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	42
Start time:	20:39:48
Start date:	12/02/2024
Path:	C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\dHERKKd2xGPyY5Ssqp_N.exe"
Imagebase:	0xdc0000
File size:	1'931'264 bytes
MD5 hash:	027F0C0AE28575127E76E80E2E91D46D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002A.00000002.2084783663.0000000000DC1000.00000040.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002A.00000003.1921954403.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	48
Start time:	20:39:54
Start date:	12/02/2024
Path:	C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
Imagebase:	0xe0000
File size:	1'931'264 bytes
MD5 hash:	027F0C0AE28575127E76E80E2E91D46D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000030.00000002.2160160951.00000000000E1000.00000040.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000030.00000003.2055220279.0000000004890000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	49
Start time:	20:39:55
Start date:	12/02/2024
Path:	C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\heidi3rWvK1xaZKPt\4sPiYiirBc4Eg8wqN443.exe"
Imagebase:	0xe00000
File size:	1'755'648 bytes
MD5 hash:	64D74B4DCF40E24D3F163421AD180350
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	50
Start time:	20:39:56
Start date:	12/02/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20230927232528 -prefsHandle 2284 -prefMapHandle 1816 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc5eb95e-32b5-4e67-b0fb-c26c990538d2} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 2000786cf10 socket
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_6f0e6065-626d-4198-b354-c97b95febe98.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_6f0e6065-626d-4198-b354-c97b95febe98.json.tmp

C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4sPiYiirBc4Eg8wqN443.exe.log

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\1be0ce43-4e40-42d8-a5fc-33f68c48005a.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\20b74f7d-d777-47b1-a9d4-96cb4a2e8304.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\25eb2e68-324d-4412-91b5-a1af125476a2.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\35fea29b-cadc-4432-8a85-9ef39c103ae4.tmp

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen26.6766.29781.19786.exe

Target ID:	53
Start time:	20:39:59
Start date:	12/02/2024
Path:	C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe"
Imagebase:	0xa30000
File size:	1'931'264 bytes
MD5 hash:	027F0C0AE28575127E76E80E2E91D46D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	true

Execution Coverage:	17.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	67.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	176

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre