Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Analysis ID: 1452258
MD5: fd92c8971718f1e033a5b70c8216c4cf
SHA1: e7373cdaedd4eb124fd8c34ad6d80d9e5137084f
SHA256: 12e69a8cbb43fd1cb8bbcbc8ea4e93a11096244753c6e463201db4086e346ca2
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Contains functionality to infect the boot sector
Detected potential unwanted application
Queries disk data (e.g. SMART data)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://soft-dl.v78q.com/softmgr/package/E593CA50-643E-48BE-8A17 Avira URL Cloud: Label: malware
Source: http://soft-dl.v78q.com/softmgr/package/E593CA50-643E-48BE-8A17-0CD5890AA11E/ZhiZhuZhiPai0529.exe.pa Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe ReversingLabs: Detection: 26%
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Virustotal: Detection: 25% Perma Link
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File created: C:\Users\user\AppData\Local\Temp\kantivirus\kavsetup.log Jump to behavior
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Static PE information: certificate valid
Source: Binary string: plus3.0_fb\product\win32\dbginfo\kfilemgr64.pdb source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65155924750.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65156023010.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65178139763.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65216613806.00000000057D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: plus3.0_fb\product\win32\dbginfo\kfilemgr64.pdbH source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65155924750.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65156023010.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65178139763.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65216613806.00000000057D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\KINGSOFT_DUBA\Build\Build_Src\kanti\kanti\Product\win32\dbginfo\ksapi64-dll.pdb source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118473742.00000000057DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65710916505.000000000BDD2000.00000002.00000001.01000000.0000000A.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65245149130.00000000057F2000.00000004.00000020.00020000.00000000.sdmp, ksapi.dll.5.dr
Source: Binary string: e:\KINGSOFT_DUBA\Build\Build_Src\kisengine_git\kisengine_git\product\win32\dbginfo\kinstuiofficial.pdb source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: Binary string: e:\KINGSOFT_DUBA\Build\Build_Src\kisengine_git\kisengine_git\product\win32\dbginfo\kinstui_exe.pdb source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65615571903.0000000000A51000.00000004.00000020.00020000.00000000.sdmp, InstallHelper.exe, 00000009.00000002.65683400124.000000000044A000.00000002.00000001.01000000.0000000C.sdmp, InstallHelper.exe, 00000009.00000000.65615335906.000000000044A000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: e:\KINGSOFT_DUBA\Build\Build_Src\kisengine\kis_2012_defend_dev_kplus3.0_fb\product\win32\dbginfo\kfilemgr64.pdb source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr
Source: Binary string: e:\KINGSOFT_DUBA\Build\Build_Src\kisengine\kis_2012_defend_dev_kplus3.0_fb\product\win32\dbginfo\kfilemgr64.pdbH source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB7DA0 GetLastError,FindFirstFileW, 5_2_0BDB7DA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB7D60 GetLastError,FindFirstFileA, 5_2_0BDB7D60
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00443E37 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 9_2_00443E37
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004871D8 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW, 5_2_004871D8
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 114.132.191.224 114.132.191.224
Source: Joe Sandbox View IP Address: 139.9.45.227 139.9.45.227
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004C641B recv, 5_2_004C641B
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65685771122.000000000098B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://2398.35go.net/defend/o1/dbazdk03.dat
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65685771122.000000000098B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://2398.35go.net/defend/o1/dbazdk03.datM
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://2398.35go.net/defend/o1/jcqgx.ini
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://2398.35go.net/defend/o1/jcqgx.inijcqgx.iniurlmd5dirprobability.bak
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, ksapi.dll.5.dr, kdb_semrjgj.dll.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, kdb_semrjgj.dll.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, ksapi.dll.5.dr, kdb_semrjgj.dll.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118473742.00000000057DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65245149130.00000000057F2000.00000004.00000020.00020000.00000000.sdmp, ksapi.dll.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64939498153.000000000262F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, kdb_semrjgj.dll.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, kdb_semrjgj.dll.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65686988752.0000000002600000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cd001.www.duba.net/duba
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64597797930.0000000002614000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598757083.0000000002614000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65686988752.0000000002600000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cd001.www.duba.net/duba/install/packages/ever/kavsetupin
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64597797930.0000000002614000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598757083.0000000002614000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65686988752.0000000002600000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cd001.www.duba.net/duba/install/packages/ever/kavsetupinLma
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65685771122.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598209342.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598884287.00000000009CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cd001.www.duba.net/duba/install/packages/ever/kavsetupinstallsgsemforxp_20240429.dat
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65685771122.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598209342.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598884287.00000000009CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cd001.www.duba.net/duba/install/packages/ever/kavsetupinstallsgsemforxp_20240429.datF_
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65685771122.000000000094E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65686988752.0000000002600000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cd001.www.duba.net/duba/install/packages/ever/kavsetuprcmd_sem_20240516.dat
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64715095351.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64715452114.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65685771122.0000000000A28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cd001.www.duba.net/duba/install/packages/ever/kavsetuprcmd_sem_20240516.datll%
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64715095351.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64715452114.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65685771122.0000000000A28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cd001.www.duba.net/duba/install/packages/ever/kavsetuprcmd_sem_20240516.datrewalX
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65685771122.000000000098B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://config.i.duba.net/
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://config.i.duba.net/aldconfig/area.dat
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://config.i.duba.net/aldconfig/area.datpopstylearea_smedrivergeniushttp://dubacdn.cmcmcdn.com/se
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://config.i.duba.net/aldconfig/resource.png
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://config.i.duba.net/aldconfig/resource.pngrs%s
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://config.i.duba.net/seminstall/%d/%s.xml?time=%d
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://config.i.duba.net/seminstall/%d/%s.xml?time=%dvariableinstallrununinstall_timeand&or%d_%droot
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64597797930.0000000002614000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598757083.0000000002614000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64590552705.0000000002614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://config.i.duba.net/seminstall/166/718.xml?time=1717581745
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598209342.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598884287.00000000009D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://config.i.duba.net/seminstall/166/718.xml?time=1717581745u
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64597797930.0000000002614000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64590552705.0000000002614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://config.i.duba.net/seminstall/166/718.xml?time=1717581745wm
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://crl.globalsign.com/gs/gsevcodesignsha2g2.crl0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0X
Source: neorkbsep.sys.5.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://crl.globalsign.net/root.crl0O
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, kdb_semrjgj.dll.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, ksapi.dll.5.dr, kdb_semrjgj.dll.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118473742.00000000057DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65245149130.00000000057F2000.00000004.00000020.00020000.00000000.sdmp, ksapi.dll.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64939498153.000000000262F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, kdb_semrjgj.dll.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, kdb_semrjgj.dll.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, ksapi.dll.5.dr, kdb_semrjgj.dll.5.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118473742.00000000057DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65245149130.00000000057F2000.00000004.00000020.00020000.00000000.sdmp, ksapi.dll.5.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, ksapi.dll.5.dr, kdb_semrjgj.dll.5.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64939498153.000000000262F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, ksapi.dll.5.dr, kdb_semrjgj.dll.5.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118473742.00000000057DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65245149130.00000000057F2000.00000004.00000020.00020000.00000000.sdmp, ksapi.dll.5.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65689740870.0000000003185000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://ct.duba.net/itidP
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598209342.000000000098B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65685771122.000000000098B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64498945759.0000000002613000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cu003.www.duba.net/duba/tools/dubatools/softmgricon/60038320.png
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65615571903.0000000000A51000.00000004.00000020.00020000.00000000.sdmp, InstallHelper.exe, InstallHelper.exe, 00000009.00000002.65683400124.000000000044A000.00000002.00000001.01000000.0000000C.sdmp, InstallHelper.exe, 00000009.00000000.65615335906.000000000044A000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: http://curl.haxx.se/docs/http-cookies.html
Source: InstallHelper.exe String found in binary or memory: http://curl.haxx.se/docs/http-cookies.html#
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html#
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65689740870.0000000003185000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://did.ijinshan.com/db/?v=2&p=db&u=0947BEFD7C7CA35ACEDFFC1E2AE55DC7&m=d05099db23970000&ip=336308
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://dubacdn.cmcmcdn.com/sem/installer/%d.png
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://dubacdn.cmcmcdn.com/sem/installer/%s.png
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://dubacdn.cmcmcdn.com/sem/installer/ald2_%d.png
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://dubacdn.cmcmcdn.com/sem/installer/ald_%d.png
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://dubacdn.cmcmcdn.com/sem/installer/ald_%d.pnghttp://dubacdn.cmcmcdn.com/sem/installer/ald2_%d.
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65690955337.0000000005832000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65689740870.0000000003185000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65615684858.0000000005832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://home.baidu.com
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64597797930.0000000002614000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598209342.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598884287.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598757083.0000000002614000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65686988752.0000000002600000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/c/
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598209342.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598884287.00000000009CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/c/)
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598209342.0000000000975000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598884287.0000000000978000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/c/-1-0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://infoc0.duba.net/c/KMain::_Init
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598209342.0000000000975000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598884287.0000000000978000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/c/LL
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64597797930.0000000002614000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598757083.0000000002614000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/c/ba.ne
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65686988752.0000000002600000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/c/ba.nek
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598209342.0000000000975000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598884287.0000000000978000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/c/dlllC
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598209342.0000000000975000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598884287.0000000000978000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/c/evice
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598209342.0000000000975000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598884287.0000000000978000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/c/lll
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598757083.0000000002614000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65686988752.0000000002600000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/c/x-www
Source: InstallHelper.exe, 00000009.00000002.65684913442.00000000022B0000.00000004.00000020.00020000.00000000.sdmp, InstallHelper.exe, 00000009.00000000.65615335906.000000000044A000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: http://infoc0.duba.net/nep/v1/
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65711235113.000000000C25A000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/nep/v1/$
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65260956996.0000000005842000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65282683181.0000000005842000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/nep/v1/W
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65245149130.0000000005842000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65253430677.0000000005842000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/nep/v1/o
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65223536479.000000000584A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/nep/v1/p
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65223536479.000000000584A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65230568707.000000000584A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://infoc0.duba.net/nep/v1/u
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65690955337.0000000005832000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65689740870.0000000003185000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65615684858.0000000005832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ir.baidu.com
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65690955337.0000000005832000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65689740870.0000000003185000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65615684858.0000000005832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jianyi.baidu.com/
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65689740870.0000000003185000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65615684858.0000000005832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://map.baidu.com
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://mydown.yesky.comhttps://www.ijinshan.com/privacy/duba-enduserlicenseandsevice-agreement.html
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65689740870.0000000003185000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://news.baidu.com
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65689300630.0000000003040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.c
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64939498153.000000000262F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, kdb_semrjgj.dll.5.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, ksapi.dll.5.dr, kdb_semrjgj.dll.5.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, ksapi.dll.5.dr, kdb_semrjgj.dll.5.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118473742.00000000057DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65245149130.00000000057F2000.00000004.00000020.00020000.00000000.sdmp, ksapi.dll.5.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, kdb_semrjgj.dll.5.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://ocsp.globalsign.com/ExtendedSSLSHA256CACross0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://ocsp2.globalsign.com/gsevcodesignsha2g205
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr30
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65689300630.0000000003040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://purl.dc/elements/1.1/
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g2.crt0:
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://sf.symcd.com0&
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64473526006.00000000009D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://soft-dl.v78q.com/softmgr/package/E593CA50-643E-48BE-8A17
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598209342.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598884287.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64715095351.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64715452114.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65685771122.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65685771122.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598496568.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598209342.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598884287.00000000009D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://soft-dl.v78q.com/softmgr/package/E593CA50-643E-48BE-8A17-0CD5890AA11E/ZhiZhuZhiPai0529.exe.pa
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://softmgr.duba.net/softmgr_v2/softdetail/%s.json?ver=1
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598884287.000000000098B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598209342.000000000098B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softmgr.duba.net/softmgr_v2/softdetail/60038320.json?ver=1LMEM
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65690955337.0000000005832000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65689740870.0000000003185000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65615684858.0000000005832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tieba.baidu.com
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65690955337.0000000005832000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65689740870.0000000003185000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65615684858.0000000005832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://v.baidu.com
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://weather2db.cmcm.com/ip/cityid
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://weather2db.cmcm.com/ip/cityiduniqid:
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65690955337.0000000005832000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65689740870.0000000003185000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65615684858.0000000005832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_co
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65690955337.0000000005832000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65689740870.0000000003185000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65615684858.0000000005832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u=
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65690955337.0000000005832000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65689740870.0000000003185000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65615684858.0000000005832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.baidu.com/duty/
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65689740870.0000000003185000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.baidu.comP
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, ksapi.dll.5.dr, kdb_semrjgj.dll.5.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65685771122.000000000094E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.duba.com
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65309908503.0000000005832000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65216304057.0000000005832000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65245149130.0000000005832000.00000004.00000020.00020000.00000000.sdmp, kavsetup.log.5.dr String found in binary or memory: http://www.duba.com/
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65687862327.0000000002972000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.duba.com/i
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: http://www.globalsign.net/repository/03
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65689740870.0000000003185000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.hao123.com
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://www.ijinshan.com//help/2/2/20200311.shtmlSb_Q
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://www.openssl.org/support/faq.html
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65687862327.00000000029A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: https://newvip.duba.net/api/v2/ocpc/report_install_success
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: https://newvip.duba.net/api/v2/ocpc/report_install_successhttps://newvip.duba.net/api/v2/ocpc/un_ins
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: https://newvip.duba.net/api/v2/ocpc/un_install
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: https://pc-store.lenovomm.cn/advertappservice/api/adAppCheck
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: https://pc-store.lenovomm.cn/advertappservice/api/adAppCheckhttps://softmgr-softsem-srv.jinshanapi.c
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: https://softmgr-softsem-srv.jinshanapi.com/sem/lenovomm/get_software_sem_info
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64557569594.0000000002613000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://softmgr-softsem-srv.jinshanapi.com/sem/lenovomm/get_software_sem_infoa
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: https://wpa1.qq.com/5ciKQjBf?_type=wpa&qidian=trueMarketQQLinkhttps://wpa1.qq.com/FDdK6y0s?_type=wpa
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, ksapi.dll.5.dr, kdb_semrjgj.dll.5.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr String found in binary or memory: https://www.globalsign.com/repository/06
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: https://www.ijinshan.com/privacy/dubaPrivacy.html
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: https://www.ijinshan.com/privacy/dubaPrivacy.htmlsoguo_mainbg_newsofttemprory.png
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_00497170 OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard, 5_2_00497170
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_00497170 OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard, 5_2_00497170
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004497BD BeginPaint,CreateCompatibleDC,GetWindowRect,CreateDIBSection,SelectObject,FindWindowExW,GetWindowRect,SystemParametersInfoW,GetDC,BitBlt,BitBlt,BitBlt,ReleaseDC,StretchBlt,UpdateLayeredWindow,SelectObject,DeleteObject,DeleteObject,DeleteObject,DeleteDC,EndPaint, 5_2_004497BD

System Summary
barindex
Detected potential unwanted application
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe PE Siganture Subject Chain: CN="Beijing Kingsoft Security software Co.,Ltd", O="Beijing Kingsoft Security software Co.,Ltd", S=Beijing, C=CN
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_00487070 OpenProcess,OpenProcess,NtQueryInformationProcess,OpenProcess,GetModuleFileNameExW,K32GetModuleFileNameExW,GetProcessImageFileNameW,K32GetProcessImageFileNameW,CloseHandle,CloseHandle,CloseHandle, 5_2_00487070
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC2BD0 RtlNtStatusToDosError,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,RtlNtStatusToDosError,NtClose,SetLastError, 5_2_0BDC2BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC33D0 RtlNtStatusToDosError,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,NtClose,NtClose,NtClose,RtlNtStatusToDosError,SetLastError,RtlNtStatusToDosError, 5_2_0BDC33D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC03F0 RtlNtStatusToDosError,RegCloseKey,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,NtClose, 5_2_0BDC03F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC2B80 DeleteCriticalSection,EnterCriticalSection,NtClose,NtClose,LeaveCriticalSection, 5_2_0BDC2B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBEBB0 RtlNtStatusToDosError,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,NtClose,RtlNtStatusToDosError, 5_2_0BDBEBB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC3BA0 RtlNtStatusToDosError,RtlInitUnicodeString,NtClose,RtlNtStatusToDosError,SetLastError,RtlNtStatusToDosError, 5_2_0BDC3BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC4B50 RtlNtStatusToDosError,RegCloseKey,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,NtClose, 5_2_0BDC4B50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB3B60 DeviceIoControl,NtAllocateVirtualMemory, 5_2_0BDB3B60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC3310 RtlNtStatusToDosError,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,NtClose,RtlNtStatusToDosError, 5_2_0BDC3310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC0B00 RtlCreateUnicodeStringFromAsciiz,DeviceIoControl,NtCreateKey,NtCreateKey, 5_2_0BDC0B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC12C0 DeviceIoControl,NtQueryValueKey,NtQueryValueKey, 5_2_0BDC12C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBEAF0 RtlNtStatusToDosError,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,NtClose,RtlNtStatusToDosError, 5_2_0BDBEAF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC02F0 RtlNtStatusToDosError,RegCloseKey,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,NtClose, 5_2_0BDC02F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB8AE0 NtWaitForSingleObject,RtlNtStatusToDosError,SetLastError, 5_2_0BDB8AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBAAE0 RtlInitUnicodeString,SetLastError,SetLastError,EnterCriticalSection,NtClose,RtlFreeHeap,DeleteCriticalSection,RtlFreeHeap,LeaveCriticalSection, 5_2_0BDBAAE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBCA80 DeviceIoControl,NtReadFile, 5_2_0BDBCA80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBBA80 RtlDosPathNameToNtPathName_U,RtlFreeHeap,RtlFreeHeap,NtClose,RtlDosPathNameToNtPathName_U,SetLastError,RtlNtStatusToDosError,SetLastError,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,SetLastError,RtlFreeHeap,RtlFreeHeap, 5_2_0BDBBA80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBFAB0 GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,RtlUnicodeToMultiByteSize,RtlUnicodeToMultiByteN,RtlUnicodeToMultiByteSize,RtlUnicodeToMultiByteN,RtlUnicodeToMultiByteN,GetProcessHeap,HeapFree,NtClose,RtlNtStatusToDosError, 5_2_0BDBFAB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC1AB0 DeviceIoControl,NtEnumerateValueKey,NtEnumerateValueKey, 5_2_0BDC1AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC3250 RtlNtStatusToDosError,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,NtClose,RtlNtStatusToDosError, 5_2_0BDC3250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC4A50 RtlNtStatusToDosError,RegCloseKey,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,NtClose, 5_2_0BDC4A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC4210 GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,RtlUnicodeToMultiByteSize,RtlUnicodeToMultiByteN,RtlUnicodeToMultiByteSize,RtlUnicodeToMultiByteN,RtlUnicodeToMultiByteN,GetProcessHeap,HeapFree,NtClose,RtlNtStatusToDosError, 5_2_0BDC4210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBEA00 RtlNtStatusToDosError,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,NtClose,RtlNtStatusToDosError, 5_2_0BDBEA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB3A30 DeviceIoControl,NtWriteVirtualMemory, 5_2_0BDB3A30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB8980 SetLastError,RtlNtStatusToDosError,SetLastError,NtWaitForSingleObject, 5_2_0BDB8980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC1150 DeviceIoControl,NtQueryValueKey,NtQueryValueKey, 5_2_0BDC1150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC1970 DeviceIoControl,NtEnumerateValueKey,NtEnumerateValueKey, 5_2_0BDC1970
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC3160 RtlNtStatusToDosError,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,NtClose,RtlNtStatusToDosError, 5_2_0BDC3160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBD110 DeviceIoControl,NtQueryDirectoryFile, 5_2_0BDBD110
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB3900 DeviceIoControl,NtReadVirtualMemory, 5_2_0BDB3900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBF8D0 RtlNtStatusToDosError,HeapAlloc,RtlNtStatusToDosError,RtlFreeHeap,NtClose, 5_2_0BDBF8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBE8F0 RtlNtStatusToDosError,RtlCreateUnicodeStringFromAsciiz,RtlCreateUnicodeStringFromAsciiz,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,RtlFreeUnicodeString,RtlFreeUnicodeString,NtClose,RtlNtStatusToDosError, 5_2_0BDBE8F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB9090 RtlDosPathNameToNtPathName_U,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,NtClose,RtlDosPathNameToNtPathName_U,SetLastError,RtlNtStatusToDosError,SetLastError,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,SetLastError,RtlFreeHeap,RtlFreeHeap, 5_2_0BDB9090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC3050 RtlNtStatusToDosError,RtlCreateUnicodeStringFromAsciiz,RtlCreateUnicodeStringFromAsciiz,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,RtlFreeUnicodeString,RtlFreeUnicodeString,NtClose,RtlNtStatusToDosError, 5_2_0BDC3050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC1040 DeviceIoControl,NtDeleteValueKey, 5_2_0BDC1040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC1840 DeviceIoControl,NtEnumerateKey, 5_2_0BDC1840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC0870 RtlCreateUnicodeStringFromAsciiz,DeviceIoControl,NtCreateKey,NtCreateKey, 5_2_0BDC0870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBC810 DeviceIoControl,NtOpenFile, 5_2_0BDBC810
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC4030 RtlNtStatusToDosError,HeapAlloc,RtlNtStatusToDosError,RtlFreeHeap,NtClose, 5_2_0BDC4030
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBA020 RtlFreeHeap,RtlFreeHeap,RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,RtlFreeHeap,RtlIsDosDeviceName_U,RtlCompareMemory,RtlFreeHeap,NtClose,SetLastError,RtlFreeHeap,RtlFreeHeap,NtClose,SetLastError,NtClose,SetLastError,RtlFreeHeap,RtlFreeHeap,SetLastError,RtlFreeHeap,RtlFreeHeap, 5_2_0BDBA020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBCFC0 DeviceIoControl,NtSetInformationFile, 5_2_0BDBCFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBEFE0 RtlNtStatusToDosError,RtlInitUnicodeString,HeapAlloc,RtlNtStatusToDosError,RtlFreeHeap,NtClose, 5_2_0BDBEFE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC3740 RtlNtStatusToDosError,RtlInitUnicodeString,HeapAlloc,RtlNtStatusToDosError,RtlFreeHeap,NtClose, 5_2_0BDC3740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC1710 DeviceIoControl,NtEnumerateKey, 5_2_0BDC1710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB3700 DeviceIoControl,NtOpenProcess, 5_2_0BDB3700
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBEF30 RtlNtStatusToDosError,RtlInitUnicodeString,NtClose,RtlNtStatusToDosError,SetLastError,RtlNtStatusToDosError, 5_2_0BDBEF30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC0F30 DeviceIoControl,NtDeleteValueKey, 5_2_0BDC0F30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC3690 RtlNtStatusToDosError,RtlInitUnicodeString,NtClose,RtlNtStatusToDosError,SetLastError,RtlNtStatusToDosError, 5_2_0BDC3690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBEE80 RtlNtStatusToDosError,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,NtClose,RtlNtStatusToDosError,SetLastError,RtlNtStatusToDosError, 5_2_0BDBEE80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBE6B0 RtlCreateUnicodeStringFromAsciiz,RtlCreateUnicodeString,RtlFreeUnicodeString,RtlFreeUnicodeString,NtClose,RtlFreeUnicodeString,RtlFreeUnicodeString, 5_2_0BDBE6B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC06B0 DeviceIoControl,NtOpenKey,NtOpenKey, 5_2_0BDC06B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBCE70 DeviceIoControl,NtQueryInformationFile, 5_2_0BDBCE70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBF670 RtlNtStatusToDosError,HeapAlloc,RtlNtStatusToDosError,RtlUnicodeStringToAnsiString,RtlUnicodeStringToAnsiString,RtlFreeHeap,NtClose, 5_2_0BDBF670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC0E60 NtClose,DeviceIoControl,NtDeleteKey, 5_2_0BDC0E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC2E10 RtlCreateUnicodeStringFromAsciiz,RtlCreateUnicodeString,RtlFreeUnicodeString,RtlFreeUnicodeString,NtClose,RtlFreeUnicodeString,RtlFreeUnicodeString, 5_2_0BDC2E10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBFDD0 GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,NtClose,RtlNtStatusToDosError, 5_2_0BDBFDD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC3DD0 RtlNtStatusToDosError,HeapAlloc,RtlNtStatusToDosError,RtlUnicodeStringToAnsiString,RtlUnicodeStringToAnsiString,RtlFreeHeap,NtClose, 5_2_0BDC3DD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBE5C0 RtlNtStatusToDosError,RtlInitUnicodeString,RtlNtStatusToDosError,NtClose, 5_2_0BDBE5C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC35E0 RtlNtStatusToDosError,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,NtClose,RtlNtStatusToDosError,SetLastError,RtlNtStatusToDosError, 5_2_0BDC35E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC0D90 NtClose,DeviceIoControl,NtDeleteKey, 5_2_0BDC0D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBED80 RtlNtStatusToDosError,RtlInitUnicodeString,NtClose,NtClose,NtClose,RtlNtStatusToDosError,SetLastError,RtlNtStatusToDosError, 5_2_0BDBED80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC15A0 DeviceIoControl,NtSetValueKey,NtSetValueKey, 5_2_0BDC15A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBC560 DeviceIoControl,NtCreateFile, 5_2_0BDBC560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC4530 GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,NtClose,RtlNtStatusToDosError, 5_2_0BDC4530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBF520 RtlNtStatusToDosError,HeapAlloc,RtlNtStatusToDosError,RtlUnicodeStringToAnsiString,RtlFreeHeap,NtClose, 5_2_0BDBF520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC2D20 RtlNtStatusToDosError,RtlInitUnicodeString,RtlNtStatusToDosError,NtClose, 5_2_0BDC2D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC04F0 DeviceIoControl,NtOpenKey,NtOpenKey, 5_2_0BDC04F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC34E0 RtlNtStatusToDosError,RtlInitUnicodeString,NtClose,NtClose,NtClose,RtlNtStatusToDosError,SetLastError,RtlNtStatusToDosError, 5_2_0BDC34E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB3C90 DeviceIoControl,NtFreeVirtualMemory, 5_2_0BDB3C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC3C80 RtlNtStatusToDosError,HeapAlloc,RtlNtStatusToDosError,RtlUnicodeStringToAnsiString,RtlFreeHeap,NtClose, 5_2_0BDC3C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBAC50 RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,NtCreateKey,NtCreateKey,NtCreateKey,HeapAlloc,NtQueryValueKey,RtlFreeHeap,HeapAlloc,CloseHandle,NtSetValueKey,CloseHandle,RtlFreeHeap,CloseHandle,RtlFreeHeap, 5_2_0BDBAC50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBF440 RtlNtStatusToDosError,RtlInitUnicodeString,NtClose,RtlNtStatusToDosError,SetLastError,RtlNtStatusToDosError, 5_2_0BDBF440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBE470 RtlNtStatusToDosError,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,RtlNtStatusToDosError,NtClose,SetLastError, 5_2_0BDBE470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBEC70 RtlNtStatusToDosError,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,NtClose,NtClose,NtClose,RtlNtStatusToDosError,SetLastError,RtlNtStatusToDosError, 5_2_0BDBEC70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBCC00 DeviceIoControl,NtWriteFile, 5_2_0BDBCC00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC1430 DeviceIoControl,NtSetValueKey,NtSetValueKey, 5_2_0BDC1430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB8420 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,RtlFreeHeap,RtlFreeHeap,RtlNtStatusToDosError,SetLastError,SetLastError,SetLastError,SetLastError,RtlFreeHeap,RtlFreeHeap,SetLastError,NtClose,RtlFreeHeap,RtlFreeHeap,SetLastError,RtlFreeHeap,RtlFreeHeap,RtlNtStatusToDosError,SetLastError,SetLastError,RtlFreeHeap,RtlFreeHeap, 5_2_0BDB8420
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBE420 DeleteCriticalSection,EnterCriticalSection,NtClose,NtClose,LeaveCriticalSection, 5_2_0BDBE420
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004781AE: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,FindCloseChangeNotification, 5_2_004781AE
Contains functionality to delete services
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB1F80 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,DeleteService,GetLastError, 5_2_0BDB1F80
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0048178E LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,FreeLibrary,CloseHandle, 5_2_0048178E
Creates driver files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File created: C:\Windows\system32\drivers\neorkbsep.sys Jump to behavior
Creates files inside the driver directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File created: C:\Windows\system32\drivers\neorkbsep.sys Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File created: C:\Windows\system32\drivers\neorkbsep.sys Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28B3A 5_3_00A28B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28B3A 5_3_00A28B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28B3A 5_3_00A28B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28B3A 5_3_00A28B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28B3A 5_3_00A28B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28B3A 5_3_00A28B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28B3A 5_3_00A28B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28B3A 5_3_00A28B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28B3A 5_3_00A28B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28B3A 5_3_00A28B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28B3A 5_3_00A28B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28B3A 5_3_00A28B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28B3A 5_3_00A28B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28B3A 5_3_00A28B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28B3A 5_3_00A28B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28B3A 5_3_00A28B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004A6040 5_2_004A6040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0046204B 5_2_0046204B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004B825F 5_2_004B825F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004AA516 5_2_004AA516
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_00452736 5_2_00452736
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004B6C9F 5_2_004B6C9F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_00404D81 5_2_00404D81
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_00494F37 5_2_00494F37
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0049D244 5_2_0049D244
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0045929A 5_2_0045929A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0045F4D6 5_2_0045F4D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004AB4AA 5_2_004AB4AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004AF7F0 5_2_004AF7F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0043DA94 5_2_0043DA94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0049BB80 5_2_0049BB80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0044BCAF 5_2_0044BCAF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0049FE90 5_2_0049FE90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_00419FC6 5_2_00419FC6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDCA39A 5_2_0BDCA39A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDCEAC9 5_2_0BDCEAC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDBA020 5_2_0BDBA020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC7640 5_2_0BDC7640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB8420 5_2_0BDB8420
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_0043A615 9_2_0043A615
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00401D43 9_2_00401D43
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00446112 9_2_00446112
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00425265 9_2_00425265
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00415430 9_2_00415430
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_004125A0 9_2_004125A0
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_004245B2 9_2_004245B2
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00446654 9_2_00446654
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_0041A630 9_2_0041A630
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00425685 9_2_00425685
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00412730 9_2_00412730
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00447A0B 9_2_00447A0B
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00424A85 9_2_00424A85
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_0040DB40 9_2_0040DB40
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00445BD0 9_2_00445BD0
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00447C4C 9_2_00447C4C
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00446D14 9_2_00446D14
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00424E59 9_2_00424E59
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_0041AF5F 9_2_0041AF5F
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: String function: 00434295 appears 67 times
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: String function: 0043422B appears 75 times
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: String function: 0041A5CC appears 66 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: String function: 00490E43 appears 42 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: String function: 0BDC75DC appears 35 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: String function: 004E6360 appears 38 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: String function: 004C560E appears 56 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: String function: 004A5FE4 appears 53 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: String function: 004198C2 appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: String function: 00593620 appears 801 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: String function: 0049A430 appears 119 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: String function: 00415D85 appears 171 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: String function: 004657DB appears 42 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: String function: 004C5681 appears 52 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: String function: 004F11B0 appears 47 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64598543559.0000000002645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUSERINIT.EXEj% vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64650350699.0000000002645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUSERINIT.EXEj% vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65683861864.000000000059B000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: invalid length/m\VarFileInfo\Translation\StringFileInfo\%04X%04X\CompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightOriginalFileNameProductNameProductVersionCommentsLegalTrademarksPrivateBuildSpecialBuild vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65683861864.000000000059B000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: _pGIRtlGetNtVersionNumbersntoskrnl.exeCompanyShortNameProductShortNameOriginalFilenameLastChangeOfficial Build\StringFileInfo\%04x%04x\%ls vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000000.64405417696.00000000007C7000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenameV vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65615571903.0000000000A51000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameV vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65685771122.00000000009D7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameV vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118579432.00000000057D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekisuopt.sysV vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118473742.00000000057DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameksapi.dllf# vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000000.64405269010.000000000059B000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: invalid length/m\VarFileInfo\Translation\StringFileInfo\%04X%04X\CompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightOriginalFileNameProductNameProductVersionCommentsLegalTrademarksPrivateBuildSpecialBuild vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000000.64405269010.000000000059B000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: _pGIRtlGetNtVersionNumbersntoskrnl.exeCompanyShortNameProductShortNameOriginalFilenameLastChangeOfficial Build\StringFileInfo\%04x%04x\%ls vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65710986211.000000000BDDC000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenameksapi.dllf# vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekisuopt.sysV vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64597468566.0000000002645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUSERINIT.EXEj% vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65245149130.00000000057F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameksapi.dllf# vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.64987526393.0000000002645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUSERINIT.EXEj% vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Binary or memory string: invalid length/m\VarFileInfo\Translation\StringFileInfo\%04X%04X\CompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightOriginalFileNameProductNameProductVersionCommentsLegalTrademarksPrivateBuildSpecialBuild vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Binary or memory string: _pGIRtlGetNtVersionNumbersntoskrnl.exeCompanyShortNameProductShortNameOriginalFilenameLastChangeOfficial Build\StringFileInfo\%04x%04x\%ls vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Binary or memory string: OriginalFilenameV vs SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: neorkbsep.sys.5.dr Binary string: \??\\SystemRoot\DosDevices\pkd_2016-01_16_993\Device\pkd_2016-01_16_993RSDS
Source: classification engine Classification label: mal80.spyw.evad.winEXE@4/63@0/20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004D1691 GetLastError,FormatMessageA,GetLastError,SetLastError, 5_2_004D1691
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB5F80 LookupPrivilegeValueW,OpenProcessToken,AdjustTokenPrivileges,CloseHandle, 5_2_0BDB5F80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_00484743 CoCreateGuid,GetLocalTime,GetComputerNameA,GetSystemDirectoryW,GetDiskFreeSpaceExW, 5_2_00484743
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: GetSystemDirectoryW,PathAppendW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,PathFileExistsW,GetModuleHandleW,GetProcAddress,CopyFileW,SetFileAttributesW,MoveFileExW,MoveFileExW,CopyFileW,MoveFileExW,CopyFileW,GetModuleHandleW,GetProcAddress,PathFileExistsW,GetModuleHandleW,GetProcAddress,OpenSCManagerW,CreateServiceW,GetLastError,OpenServiceW,CreateFileW,CloseServiceHandle,CloseHandle,ChangeServiceConfig2W,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle, 5_2_0BDB1890
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0048262B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 5_2_0048262B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_00478AA3 CoInitializeEx,CoCreateInstance,CoSetProxyBlanket,VariantClear,CoUninitialize, 5_2_00478AA3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_00444AEE GetModuleFileNameW,PathFindFileNameW,FindResourceW,SizeofResource,LoadResource,LockResource,FreeResource, 5_2_00444AEE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB1890 GetSystemDirectoryW,PathAppendW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,PathFileExistsW,GetModuleHandleW,GetProcAddress,CopyFileW,SetFileAttributesW,MoveFileExW,MoveFileExW,CopyFileW,MoveFileExW,CopyFileW,GetModuleHandleW,GetProcAddress,PathFileExistsW,GetModuleHandleW,GetProcAddress,OpenSCManagerW,CreateServiceW,GetLastError,OpenServiceW,CreateFileW,CloseServiceHandle,CloseHandle,ChangeServiceConfig2W,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle, 5_2_0BDB1890
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File created: c:\program files (x86)\kingsoft Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Mutant created: \Sessions\1\BaseNamedObjects\{C16A0C4F-108B-4580-A7A0-8DEF25D2E9EF}
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Mutant created: \Sessions\1\BaseNamedObjects\lock
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File created: C:\Users\user\AppData\Local\Temp\jcqgx.ini Jump to behavior
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File read: C:\Users\user\AppData\Local\Temp\jcqgx.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe ReversingLabs: Detection: 26%
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Virustotal: Detection: 25%
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://dubacdn.cmcmcdn.com/sem/installer/%d.png
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://dubacdn.cmcmcdn.com/sem/installer/ald_%d.png
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://dubacdn.cmcmcdn.com/sem/installer/ald2_%d.png
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: http://dubacdn.cmcmcdn.com/sem/installer/%s.png
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: set-addPolicy
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: id-cmc-addExtensions
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: GetPacketData %dGetPacketData return:%dExtract...Extract return:%dLoadImageToMem CreateFile error:%d, path:%wsCreateFileByMem CreateFileMapping error:%d, path:%wsCreateFileByMem MapViewOfFile error:%d, path:%wszzd.{9B8A9862-3FE6-452e-A096-31E845BF839B}HKEY_CURRENT_CONFIGHKEY_DYN_DATAHKEY_PERFORMANCE_DATAHKEY_USERSHKEY_LOCAL_MACHINEHKEY_CURRENT_USERHKEY_CLASSES_ROOTHKCCHKDDHKPDHKUHKLMHKCUHKCRTypeLibSoftwareSYSTEMSECURITYSAMMimeHardwareInterfaceFileTypeComponent CategoriesDeleteNoRemoveForceRemoveValBDMS1SOFTWARE\KSafeInstall PathSOFTWARE\MyDrivers\DriverGeniusAppPathSOFTWARE\kingsoft\AntivirusProgramPathressrc\chs\uplive.svrTryNocommonSOFTWARE\kbasesrvSOFTWARE\cmcm\kdeskSOFTWARE\kingsoft\KwifiWorkPathSOFTWARE\cmcm\kcalendarUninstallStringSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\sysslimSOFTWARE\liebaoSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastpdfSOFTWARE\cmpcproduct_tag_cmpc_ch.tagSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpic2536179c73102b3a1ccccdad81bb95f0https://newvip.duba.net/api/v2/ocpc/report_install_successhttps://newvip.duba.net/api/v2/ocpc/un_installcfBdVidbdVidCLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\AntivirusOcpcLongCodeLogIdUserTypeCLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{9B4EEDF7-FC98-4fa0-8440-9D1BC57B5F2F}uidtid1tid2tod1tod2CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}idexSOFTWARE\kingsoft\Antivirus\Setupkinstalltool_{0A3C83FD-7B1D-4c3f-8932-190BA6D25F90}KInstallToolinstallhttp://weather2db.cmcm.com/ip/cityiduniqid: %sContent-Type: text/plainfrom: dubaversion: 1lnt: 0lat: 0dataactioncidtidkidsilentscenesysdoctorid%TEMP%kinsttemp\kinsttemp\install_res_\evade.dathttp://config.i.duba.net/aldconfig/area.datpopstylearea_smedrivergeniushttp://dubacdn.cmcmcdn.com/sem/installer/%s.pnghttp://dubacdn.cmcmcdn.com/sem/installer/%d.png\100.pnghttp://dubacdn.cmcmcdn.com/sem/installer/ald_%d.pnghttp://dubacdn.cmcmcdn.com/sem/installer/ald2_%d.png\110.png
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: " id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:f64eaef3-0e06-4f4b-aa81-5013a8233989" xmpMM:DocumentID="xmp.did:BEDADF69381C11E5BD258E794D2F6E64" xmpMM:InstanceID="xmp.iid:BEDADF68381C11E5BD258E794D2F6E64" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:ed0f7c5d-e51b-4cab-add2-b155dfd1c421" stRef:documentID="xmp.did:f64eaef3-0e06-4f4b-aa81-5013a8233989"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: " id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:f64eaef3-0e06-4f4b-aa81-5013a8233989" xmpMM:DocumentID="xmp.did:BF150268381C11E5BD258E794D2F6E64" xmpMM:InstanceID="xmp.iid:BF150267381C11E5BD258E794D2F6E64" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:ed0f7c5d-e51b-4cab-add2-b155dfd1c421" stRef:documentID="xmp.did:f64eaef3-0e06-4f4b-aa81-5013a8233989"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe String found in binary or memory: " id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:f64eaef3-0e06-4f4b-aa81-5013a8233989" xmpMM:DocumentID="xmp.did:AA6B9DFE876E11E5AC9ABBD119337D37" xmpMM:InstanceID="xmp.iid:AA6B9DFD876E11E5AC9ABBD119337D37" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:ed0f7c5d-e51b-4cab-add2-b155dfd1c421" stRef:documentID="xmp.did:f64eaef3-0e06-4f4b-aa81-5013a8233989"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>in
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Process created: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe "C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe" -Pid:"8164" -LogFileName:"C:\Users\user\AppData\Local\Temp\kantivirus\semPacketDllLog.log" -InstallPath:"C:\Users\user\AppData\Local\Temp\kantivirus" -Tid1:"10" -Tid2:"166" -Tod1:"718" -Tod2:"1" -IId:"210464360" -UUID:"0947BEFD7C7CA35ACEDFFC1E2AE55DC7" -TryNo:"1335" -SvrId:"2024.SP1.9" -StrategyList:"0;1;2;3;4|0;2;3;4" -Version:"3" -ProductInstalled:"0" -CompetitorMask:"0" -CompetitorInstalled:"0"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Process created: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe "C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe" -Pid:"8164" -LogFileName:"C:\Users\user\AppData\Local\Temp\kantivirus\semPacketDllLog.log" -InstallPath:"C:\Users\user\AppData\Local\Temp\kantivirus" -Tid1:"10" -Tid2:"166" -Tod1:"718" -Tod2:"1" -IId:"210464360" -UUID:"0947BEFD7C7CA35ACEDFFC1E2AE55DC7" -TryNo:"1335" -SvrId:"2024.SP1.9" -StrategyList:"0;1;2;3;4|0;2;3;4" -Version:"3" -ProductInstalled:"0" -CompetitorMask:"0" -CompetitorInstalled:"0" Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: capabilityaccessmanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: capauthz.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wifidatacapabilityhandler.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wwapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cellulardatacapabilityhandler.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: kdtutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: kdtutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: kdtutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Section loaded: kdtutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File written: C:\Users\user\AppData\Local\Temp\jcqgx.ini Jump to behavior
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Static file information: File size 4219696 > 1048576
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x19a000
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1bf000
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: plus3.0_fb\product\win32\dbginfo\kfilemgr64.pdb source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65155924750.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65156023010.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65178139763.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65216613806.00000000057D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: plus3.0_fb\product\win32\dbginfo\kfilemgr64.pdbH source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65155924750.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65156023010.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65178139763.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65216613806.00000000057D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\KINGSOFT_DUBA\Build\Build_Src\kanti\kanti\Product\win32\dbginfo\ksapi64-dll.pdb source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118473742.00000000057DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65710916505.000000000BDD2000.00000002.00000001.01000000.0000000A.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65245149130.00000000057F2000.00000004.00000020.00020000.00000000.sdmp, ksapi.dll.5.dr
Source: Binary string: e:\KINGSOFT_DUBA\Build\Build_Src\kisengine_git\kisengine_git\product\win32\dbginfo\kinstuiofficial.pdb source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe
Source: Binary string: e:\KINGSOFT_DUBA\Build\Build_Src\kisengine_git\kisengine_git\product\win32\dbginfo\kinstui_exe.pdb source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65615571903.0000000000A51000.00000004.00000020.00020000.00000000.sdmp, InstallHelper.exe, 00000009.00000002.65683400124.000000000044A000.00000002.00000001.01000000.0000000C.sdmp, InstallHelper.exe, 00000009.00000000.65615335906.000000000044A000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: e:\KINGSOFT_DUBA\Build\Build_Src\kisengine\kis_2012_defend_dev_kplus3.0_fb\product\win32\dbginfo\kfilemgr64.pdb source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr
Source: Binary string: e:\KINGSOFT_DUBA\Build\Build_Src\kisengine\kis_2012_defend_dev_kplus3.0_fb\product\win32\dbginfo\kfilemgr64.pdbH source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65118532734.00000000057CF000.00000004.00000020.00020000.00000000.sdmp, neorkbsep.sys.5.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_00406640 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 5_2_00406640
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28F2C pushad ; ret 5_3_00A28F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28F2C pushad ; ret 5_3_00A28F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28F2C pushad ; ret 5_3_00A28F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28F2C pushad ; ret 5_3_00A28F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28F2C pushad ; ret 5_3_00A28F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28F2C pushad ; ret 5_3_00A28F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28F2C pushad ; ret 5_3_00A28F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28F2C pushad ; ret 5_3_00A28F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28F2C pushad ; ret 5_3_00A28F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28F2C pushad ; ret 5_3_00A28F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28F2C pushad ; ret 5_3_00A28F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28F2C pushad ; ret 5_3_00A28F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28F2C pushad ; ret 5_3_00A28F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28F2C pushad ; ret 5_3_00A28F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28F2C pushad ; ret 5_3_00A28F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_3_00A28F2C pushad ; ret 5_3_00A28F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004A6029 push ecx; ret 5_2_004A603C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004A3361 push ecx; ret 5_2_004A3374
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_005934C3 push ecx; ret 5_2_005934D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_00593620 push eax; ret 5_2_0059363E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC7621 push ecx; ret 5_2_0BDC7634
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC7545 push ecx; ret 5_2_0BDC7558
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00417264 push ecx; ret 9_2_00417277
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_0041A611 push ecx; ret 9_2_0041A624
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00407F80 push ecx; mov dword ptr [esp], 0045AD38h 9_2_00407F96
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,FindCloseChangeNotification, \\.\PhysicalDrive%d 5_2_004781AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,FindCloseChangeNotification, %d ReadPhysicalDriveInNTWithAdminRights ERRORDeviceIoControl(%d, DFP_GET_VERSION) returned 0, error is %d 5_2_004781AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: DeviceIoControl,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 5_2_00478342
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: CreateFileA,DeviceIoControl,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 5_2_00478588
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File created: C:\Users\user\AppData\Local\Temp\kantivirus\ksapi.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File created: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File created: C:\Users\user\AppData\Local\Temp\kdb_semrjgj.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File created: C:\Windows\System32\drivers\neorkbsep.sys Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File created: C:\Windows\System32\drivers\neorkbsep.sys Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0043CAF9 PathFileExistsW,GetPrivateProfileIntW, 5_2_0043CAF9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0048F10F GetModuleFileNameW,PathRemoveFileSpecW,PathAppendW,PathFileExistsW,GetPrivateProfileIntW, 5_2_0048F10F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0043B81B GetPrivateProfileStringW, 5_2_0043B81B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File created: C:\Users\user\AppData\Local\Temp\kantivirus\kavsetup.log Jump to behavior

Boot Survival
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,FindCloseChangeNotification, \\.\PhysicalDrive%d 5_2_004781AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,FindCloseChangeNotification, %d ReadPhysicalDriveInNTWithAdminRights ERRORDeviceIoControl(%d, DFP_GET_VERSION) returned 0, error is %d 5_2_004781AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: DeviceIoControl,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 5_2_00478342
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: CreateFileA,DeviceIoControl,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 5_2_00478588
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB2040 OpenSCManagerW,OpenServiceW,OpenServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle, 5_2_0BDB2040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_NetworkAdapter where PnpDeviceID like &apos;PCI%&apos; or PnpDeviceID like &apos;USB%&apos;
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption FROM Win32_SoundDevice
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption FROM Win32_SoundDevice
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Binary or memory string: %SYSTEMROOT%\SYSTEM32\DRIVERS\DEEPFRZ.SYSDEEP FREEZEYZIDIOT.SYSYZIDIOTSBIEDLL.DLLWOW64DISABLEWOW64FSREDIRECTIONWOW64REVERTWOW64FSREDIRECTIONVMWAREVMWAREVBOXHOOK.DLL\\.\VBOXMINIRDRDN1-VMSRVCVPC-S3VPCUBUSVPCUHUBSYSTEM32\VPC-S3.DLLSYSTEM32\DRIVERS\VPC-S3.SYSSYSTEM32\DRIVERS\VPCGBUS.SYSSYSTEM32\DRIVERS\VPCUBUS.SYSVMUSRVC.EXESYSTEM\CURRENTCONTROLSET\SERVICESSYSTEM32\DRIVERS\VIOSTOR.SYSKVMSYSTEMPRODUCTNAMEHARDWARE\DESCRIPTION\SYSTEM\BIOSVIRTUAL CPUPROCESSORNAMESTRINGHARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\015ADVEN_%S80EE1AB8SYSTEM\CURRENTCONTROLSET\ENUM\PCI
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Window / User API: foregroundWindowGot 418 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\kantivirus\ksapi.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\kdb_semrjgj.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Dropped PE file which has not been started: C:\Windows\System32\drivers\neorkbsep.sys Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe API coverage: 8.4 %
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File opened: PhysicalDrive0 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard WHERE (SerialNumber IS NOT NULL)
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File Volume queried: C:\Windows\SysWOW64 FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB7DA0 GetLastError,FindFirstFileW, 5_2_0BDB7DA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDB7D60 GetLastError,FindFirstFileA, 5_2_0BDB7D60
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00443E37 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 9_2_00443E37
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004871D8 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW, 5_2_004871D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0045E768 GetSystemInfo, 5_2_0045E768
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Binary or memory string: %Systemroot%\system32\drivers\DeepFrz.sysDeep FreezeYzIdiot.sysYzIdiotSbieDll.dllWow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionVMwareVMwareVBoxHook.dll\\.\VBoxMiniRdrDN1-vmsrvcvpc-s3vpcubusvpcuhubSystem32\vpc-s3.dllsystem32\DRIVERS\vpc-s3.syssystem32\DRIVERS\vpcgbus.syssystem32\DRIVERS\vpcubus.sysvmusrvc.exeSYSTEM\CurrentControlSet\Servicessystem32\DRIVERS\viostor.sysKVMSystemProductNameHARDWARE\DESCRIPTION\System\BIOSVirtual CPUProcessorNameStringHARDWARE\DESCRIPTION\System\CentralProcessor\015ADVEN_%s80EE1AB8SYSTEM\CurrentControlSet\Enum\PCI
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Binary or memory string: \\.\VBoxMiniRdrDN
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Binary or memory string: VMwareVMware
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65687862327.0000000002A1D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65687862327.00000000029AE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65685771122.000000000094E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: InstallHelper.exe, 00000009.00000002.65684197051.00000000006CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Binary or memory string: VBoxHook.dll
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004A32B3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_004A32B3
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_00406640 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 5_2_00406640
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_00499AE7 GetProcessHeap,HeapAlloc,RtlInterlockedPopEntrySList,VirtualAlloc,RtlInterlockedPopEntrySList,VirtualFree,RtlInterlockedPushEntrySList, 5_2_00499AE7
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0043CFF8 KiUserCallbackDispatcher,InitCommonControlsEx,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection, 5_2_0043CFF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004A32B3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_004A32B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0049B359 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0049B359
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0049938C SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0049938C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC92C2 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0BDC92C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC6057 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0BDC6057
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0BDC5C53 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0BDC5C53
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_004141C8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_004141C8
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_004171EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_004171EC
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_0041A32F SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_0041A32F
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: 9_2_00422A60 SetUnhandledExceptionFilter, 9_2_00422A60
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, explorer.exe 5_2_0048262B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: CreateToolhelp32Snapshot,GetLastError,Process32FirstW,Process32NextW,GetLastError,CloseHandle,CloseHandle,OpenProcess,GetLastError,OpenProcessToken,GetLastError,CloseHandle, explorer.exe 5_2_0044EC20
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Process created: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe "C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe" -Pid:"8164" -LogFileName:"C:\Users\user\AppData\Local\Temp\kantivirus\semPacketDllLog.log" -InstallPath:"C:\Users\user\AppData\Local\Temp\kantivirus" -Tid1:"10" -Tid2:"166" -Tod1:"718" -Tod2:"1" -IId:"210464360" -UUID:"0947BEFD7C7CA35ACEDFFC1E2AE55DC7" -TryNo:"1335" -SvrId:"2024.SP1.9" -StrategyList:"0;1;2;3;4|0;2;3;4" -Version:"3" -ProductInstalled:"0" -CompetitorMask:"0" -CompetitorInstalled:"0" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Process created: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe "c:\users\user\appdata\local\temp\kantivirus\installhelper.exe" -pid:"8164" -logfilename:"c:\users\user\appdata\local\temp\kantivirus\sempacketdlllog.log" -installpath:"c:\users\user\appdata\local\temp\kantivirus" -tid1:"10" -tid2:"166" -tod1:"718" -tod2:"1" -iid:"210464360" -uuid:"0947befd7c7ca35acedffc1e2ae55dc7" -tryno:"1335" -svrid:"2024.sp1.9" -strategylist:"0;1;2;3;4|0;2;3;4" -version:"3" -productinstalled:"0" -competitormask:"0" -competitorinstalled:"0"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Process created: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe "c:\users\user\appdata\local\temp\kantivirus\installhelper.exe" -pid:"8164" -logfilename:"c:\users\user\appdata\local\temp\kantivirus\sempacketdlllog.log" -installpath:"c:\users\user\appdata\local\temp\kantivirus" -tid1:"10" -tid2:"166" -tod1:"718" -tod2:"1" -iid:"210464360" -uuid:"0947befd7c7ca35acedffc1e2ae55dc7" -tryno:"1335" -svrid:"2024.sp1.9" -strategylist:"0;1;2;3;4|0;2;3;4" -version:"3" -productinstalled:"0" -competitormask:"0" -competitorinstalled:"0" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_00486614 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,InitializeCriticalSection,GetCurrentProcessId,CreateEventW,CreateEventW,CreateEventW,CreateThread, 5_2_00486614
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_0044EE56 AllocateAndInitializeSid,GetTokenInformation,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,EqualSid,LocalFree,FreeSid, 5_2_0044EE56
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Binary or memory string: DShell_TrayWndwhite_light
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004780AC cpuid 5_2_004780AC
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: GetLocaleInfoA, 5_2_004B64C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: GetLocaleInfoA, 5_2_004B56C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: EnumSystemLocalesA, 5_2_004B5B3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 5_2_004B5BDC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: EnumSystemLocalesA, 5_2_004B5BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: GetLocaleInfoA, 5_2_004A5FBC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: GetLocaleInfoA, 5_2_0BDCDDB0
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 9_2_00428000
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: GetLocaleInfoA, 9_2_0042402D
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 9_2_0042409F
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 9_2_00428176
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: GetLocaleInfoA, 9_2_0042426F
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: EnumSystemLocalesA, 9_2_0042432E
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 9_2_004243CF
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: EnumSystemLocalesA, 9_2_00424393
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 9_2_00413CC5
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: GetLocaleInfoA, 9_2_00425EE8
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: GetLocaleInfoA, 9_2_00423EB5
Source: C:\Users\user\AppData\Local\Temp\kantivirus\InstallHelper.exe Code function: GetLocaleInfoA, 9_2_00423F97
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_00484743 CoCreateGuid,GetLocalTime,GetComputerNameA,GetSystemDirectoryW,GetDiskFreeSpaceExW, 5_2_00484743
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004A873E GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 5_2_004A873E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Code function: 5_2_004788B6 GetVersionExW, 5_2_004788B6
AV process strings found (often used to terminate AV products)
Source: SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65260956996.0000000005842000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65209331608.0000000005843000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65245149130.0000000005842000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65690955337.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65268106271.0000000005842000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65615684858.0000000005842000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000002.65690955337.0000000005842000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe, 00000005.00000003.65282683181.0000000005842000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kxetray.exe

Stealing of Sensitive Information
barindex
Queries disk data (e.g. SMART data)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe Device IO: \Device\Harddisk0\DR0 Jump to behavior
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1452258 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 05/06/2024 Architecture: WINDOWS Score: 80 32 Antivirus detection for URL or domain 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Detected potential unwanted application 2->36 38 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->38 6 SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe 8 106 2->6         started        11 svchost.exe 2->11         started        process3 dnsIp4 24 139.9.43.12 HWCSNETHuaweiCloudServicedatacenterCN China 6->24 26 139.9.43.42 HWCSNETHuaweiCloudServicedatacenterCN China 6->26 28 17 other IPs or domains 6->28 16 C:\Windows\System32\drivers\neorkbsep.sys, PE32+ 6->16 dropped 18 C:\Users\user\AppData\...\kdb_semrjgj.dll, PE32 6->18 dropped 20 C:\Users\user\AppData\Local\...\ksapi.dll, PE32 6->20 dropped 22 C:\Users\user\AppData\...\InstallHelper.exe, PE32 6->22 dropped 40 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 6->40 42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->42 44 Contains functionality to infect the boot sector 6->44 46 Queries disk data (e.g. SMART data) 6->46 13 InstallHelper.exe 6->13         started        file5 signatures6 process7 dnsIp8 30 139.9.45.227 HWCSNETHuaweiCloudServicedatacenterCN China 13->30
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
114.132.191.224
 unknown China
56046 CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN false
139.9.45.227
 unknown China
55990 HWCSNETHuaweiCloudServicedatacenterCN false
183.240.99.202
 unknown China
56040 CMNET-GUANGDONG-APChinaMobilecommunicationscorporation false
175.6.254.65
 unknown China
63838 CT-HUNAN-HENGYANG-IDCHengyangCN false
218.60.21.6
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
221.194.141.169
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
1.193.210.6
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
139.9.43.42
 unknown China
55990 HWCSNETHuaweiCloudServicedatacenterCN false
139.9.44.129
 unknown China
55990 HWCSNETHuaweiCloudServicedatacenterCN false
139.199.215.55
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa false
218.12.76.159
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
139.9.43.12
 unknown China
55990 HWCSNETHuaweiCloudServicedatacenterCN false
183.61.168.1
 unknown China
134763 CT-DONGGUAN-IDCCHINANETGuangdongprovincenetworkCN false
218.12.76.156
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
42.56.77.10
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
218.12.76.155
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
118.112.233.9
 unknown China
38283 CHINANET-SCIDC-AS-APCHINANETSiChuanTelecomInternetData false
113.16.211.3
 unknown China
137693 CHINATELECOM-GUANGXI-NANNING-IDCCHINATELECOMGuangxiNannin false
183.61.243.1
 unknown China
134763 CT-DONGGUAN-IDCCHINANETGuangdongprovincenetworkCN false
139.199.218.80
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa false